Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution.
This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Install the latest version:
If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Auditing your files directory’s .htaccess to ensure it has not been overwritten or overridden in a subdirectory
If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:
find ./ -name “.htaccess” -print
Drupal automatically creates .htaccess files like the following in the root of the public files directory:
# Turn off all options we don’t need.
Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we’re run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>
Check with your system administrator for the correct .htaccess configuration for the given files directory.
This advisory is not covered by Drupal Steward.
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
More Stories
openjpeg2-2.5.3-1.fc40
FEDORA-2024-272544ceb9 Packages in this update: openjpeg2-2.5.3-1.fc40 Update description: Update to openjpeg-2.5.3 Fix 2 heap-buffer-overflow Read More
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...