Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
Project: Drupal core Date: 2022-July-20 Security risk: Critical 15∕25 Vulnerability: Arbitrary PHP code execution
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an
htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default
.htaccess files and possible remote code execution.
This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow
htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.3.
- If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Auditing your files directory's
.htaccess to ensure it has not been overwritten or overridden in a sub-directory
If your web server uses Apache httpd with
AllowOverride, you should check within your files directories and subdirectories to ensure that any
.htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:
find ./ -name ".htaccess" -print
Drupal automatically creates
.htaccess files like the following in the root of the public files directory:
# Turn off all options we don't need. Options -Indexes -ExecCGI -Includes -MultiViews # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003# If we know how to do it safely, disable the PHP engine entirely. php_flag engine off php_flag engine off
Check with your system administrator for the correct
.htaccess configuration for the given files directory.