Backdrop core - Critical - Remote code execution - SA-CORE-2020-007
Date: Wednesday, Nov 18th, 2020 Security risk: Critical Advisory ID: BACKDROP-SA-CORE-2020-007 CVE ID: CVE-2020-13671 Vulnerability: Remote Code Execution
- Backdrop Core 1.17.x versions prior to 1.17.3
- Backdrop Core 1.16.x versions prior to 1.16.5
Backdrop versions 1.15 and prior do not receive security coverage.
Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.
Upgrade your site to the most recent version of Backdrop core. If you are on AltaGrade hosting platform, then just running the
brush up backdrop -y && brush updb -y from command line is all you need to take care of the problem.
Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like