Drupal, a leading content management service (CMS) platform, has fixed a critical bug that could allow hackers to gain access over vulnerable websites.
Drupal is currently the fourth most used content management service (CMS) platform on Internet after WordPress, Shopify and Joomla.
Drupal’s engineering team this week released security updates to patch the critical vulnerability, reports ZDNet.
Tracked as CVE-2020-13671, the vulnerability is easy to exploit and relies on double extension trick.
Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.
The Drupal team said the vulnerability the CMS does not sanitize certain file names, allowing some malicious files to slip through.
This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
Last month, the cyber security researchers unearthed a massive botnet network called KashmirBlack, being run from Indonesia, that has attacked websites running popular content management systems (CMSs) like WordPress, Drupal and Joomla, among others.
The sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security form Imperva.
The botnet’s primary purpose appears to infect websites, and then use their servers for cryptocurrency mining.
Based in Indonesia, the hackers have a command-and-control (C&C) infrastructure to operate KashmirBlack.