800+ IT
News
als RSS Feed abonnieren๐ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
๐ก Newskategorie: IT Security Nachrichten
๐ Quelle: drupal.org
Project:ย
Version:ย
8.8.x-dev
8.7.x-dev
Date:ย
2019-December-18
Security risk:ย
Vulnerability:ย
Multiple vulnerabilities
Description:ย
Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.
Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.
After this fix, file_save_upload() now trims leading and trailing dots from filenames.
Solution:ย
Reported By:ย
Fixed By:ย
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Kim Pepper
- Alex Pott of the Drupal Security Team
- Derek Wright
- Jess of the Drupal Security Team
- David Rothstein of the Drupal Security Team