Backdrop core - Critical - Remote code execution - SA-CORE-2020-007

Date: Wednesday, Nov 18th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-007
CVE ID: CVE-2020-13671
Vulnerability: Remote Code Execution

Versions affected

• Backdrop Core 1.17.x versions prior to 1.17.3
• Backdrop Core 1.16.x versions prior to 1.16.5

Backdrop versions 1.15 and prior do not receive security coverage.

Description

Backdrop core does not properly sanitize certain filenames on uploaded files. This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type, or executed as PHP for certain hosting configurations.

Solution

Upgrade your site to the most recent version of Backdrop core. If you are on AltaGrade hosting platform, then just running the brush up backdrop -y && brush updb -y from command line is all you need to take care of the problem.

Otherwise, download available on the Backdrop CMS 1.17.3 release page. See the update instructions, if needed.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif.