CVE-2020-36193: Drupal Directory Traversal Vulnerability Alert

Comments Off on CVE-2020-36193: Drupal Directory Traversal Vulnerability Alert
Drupal Remote Code Execution

Drupal is a free and open-source web content management framework written in PHP and distributed under the GNU General Public License. Drupal provides a back-end framework for at least 12% of the top 10,000 websites worldwide – ranging from personal blogs to corporate, political, and government sites. On January 20, Drupal officially released a security update to fix the Drupal remote code execution vulnerability (CVE-2020-36193). Attackers can use high-risk vulnerabilities to traverse directories, remote code execution, etc., to gain control of the server, which poses a greater security risk.

Vulnerability Detail

Drupal uses pear Archive_Tar as a dependent library. When processing compressed packages in formats such as .tar, .tar.gz, .bz2, or .tlz, due to the lack of strict filtering, attackers can construct compressed packages containing symbolic links and upload them, which may lead to the existence of directory traversal vulnerabilities, and even remote code execution vulnerabilities.

Affected version

  • Drupal < 9.1.3
  • Drupal < 9.0.11
  • Drupal < 8.9.13
  • Drupal < 7.78

Solution

Upgrade Drupal to the latest version. You can set Drupal to prohibit users from uploading compressed packages in formats such as .tar, .tar.gz, .bz2, .tlz, etc.

The post CVE-2020-36193: Drupal Directory Traversal Vulnerability Alert appeared first on InfoTech News.

Related Articles

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
Live Chat
RESOURCES
Get Started
TOOLBOX
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook
Twitter
Google-plus
Wordpress