CVE-2022-25277: Critical Bypass Vulnerability in Drupal Core Sanitizing File Uploads

A critical security vulnerability (CVE-2022-25277) has been identified in Drupal Core, affecting systems utilizing file uploads with specific extensions. This vulnerability allows attackers to bypass Drupal's built-in protections for file uploads, leading to potential remote code execution on Apache web servers.

Background

Drupal core facilitates the protection of file uploads by sanitizing filenames that have dangerous extensions (reference: SA-CORE-202-012) and stripping leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, these two mechanisms did not function correctly in conjunction, resulting in the vulnerability at hand.

Exploit Details

When a site is configured to permit file uploads with an .htaccess extension, the filename is not properly sanitized. This could lead to the uploading of an .htaccess file that bypasses the default protections provided by both Drupal's core files and other Apache web server configurations.

The following code snippet illustrates this vulnerability

// Incorrect sanitization sequence
$new_filename = file_munge_filename($uploaded_filename, $extensions, TRUE);
$uploaded_filename = drupal_basename($uploaded_filename, '.' . $new_filename->getExtension());

As this code snippet suggests, the sanitization sequence does not take into consideration both the dangerous extension and leading/trailing dot stripping.

This issue is mitigated by the fact that it requires a site administrator to explicitly configure a file field to allow .htaccess as an extension, a restricted permission typically not granted to regular users. Alternatively, a contributed module or custom code that overrides allowed file uploads could put a site at risk.

Impact

The exploitation of this vulnerability may allow attackers to execute arbitrary code on affected systems, posing a wide risk to the security of the server and its data. To better understand the issue, consider the following scenario:

An attacker with the knowledge of this vulnerability could potentially upload an .htaccess file with PHP code execution enabled. The attacker may then access a PHP file uploaded separately to execute arbitrary code on the server. This can lead to unauthorized server access, database compromise, and other severe consequences.

Recommendations and Mitigations

It is imperative for those running Drupal sites to implement the following steps to secure their systems:

1. Review file field configurations and ensure that .htaccess is not listed as an allowed extension. If necessary, remove .htaccess from the list of permitted extensions.
2. Update to the latest version of Drupal Core, which includes patched code addressing this vulnerability.
3. Audit any contributed modules or custom code allowing file uploads to ensure that allowed file extensions do not include .htaccess, and update them accordingly.

In conclusion, it is crucial to be aware of vulnerabilities in web frameworks to ensure the security of your applications and systems. Regularly updating, monitoring, and auditing your software can help reduce the likelihood of an attacker being able to take advantage of known vulnerabilities.

Timeline

Published on: 04/26/2023 15:15:00 UTC
Last modified on: 05/09/2023 19:26:00 UTC