Aon’s Cyber Solutions recently discovered a security vulnerability in all versions of Drupal 8 below 8.7.11 / 8.8.1. A change in default behavior introduced in Drupal 8’s file_save_upload function can potentially lead to security vulnerabilities in modules or other callers of this function. This issue was discovered by Rohit Kapur.

Aon would like to thank the Drupal security team for working with us as part of our coordinated disclosure process.

Timeline:

08/15/19 – Initial disclosure to security@drupal.org

08/19/19 – Issue confirmed and opened on Drupal’s bug tracker

10/23/19 – Initial patch developed

Nov-Dec – Patches and tests revised

12/17/19 – Final patches developed

12/18/19 – Aon/Drupal coordinated disclosure

Vendor Advisory:

https://www.drupal.org/sa-core-2019-010

SA-CORE-2019-010: Drupal 8 File Upload Vulnerability

Drupal 8 no longer trims the leading dot (“.”) from the filename on upload as Drupal 7 did. Modules or other code relying on the Drupal 7 behavior as a security control can become vulnerable when used with Drupal 8.

For example, Drupal 8 with a file upload module such as IMCE running under the default configuration with an Apache web server, allows authenticated administrative users to upload a .htaccess file that can modify the server’s executable file extensions to achieve remote code execution. Under certain configurations, this issue can be exploited by non-administrative users as well.

This is due to a change in the file_save_upload function between Drupal 7 and Drupal 8. The code snippet below from Drupal 7.6.7 utilizes the trim function to remove leading and trailing dots from the filename input.

drupal-7.67/includes/file.inc:

$file = new stdClass(); $file->uid = $user->uid; $file->status = 0; $file->filename = trim(drupal_basename($_FILES['files']['name'][$form_field_name]), '.'); $file->uri = $_FILES['files']['tmp_name'][$form_field_name]; $file->filemime = file_get_mimetype($file->filename); $file->filesize = $_FILES['files']['size'][$form_field_name];

Conversely, Drupal 8’s file_save_upload function does not call trim and allows filenames with leading and trailing dots. This change in default behavior can lead to security vulnerabilities in cases where modules or other code relies on the previous behavior as a security control. For example, IMCE incorrectly assumes that Drupal 8 core prevents upload of a malicious .htaccess file as Drupal 7 did.

Remediation:

The original Drupal 7 behavior has been restored in Drupal 8.7.11 and 8.8.1. Versions prior to 8.7 do not receive security updates.