CVE-2020-13671 Overview
CVE-2020-13671 is an unrestricted file upload vulnerability in Drupal core. The flaw stems from improper sanitization of filenames on uploaded files. Attackers can craft filenames that bypass extension filtering, causing files to be served with the wrong MIME type or executed as PHP under certain hosting configurations. The vulnerability affects Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74. CISA added this issue to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The weakness is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated attackers with file upload privileges can achieve remote code execution on Drupal sites, leading to full site compromise.
Affected Products
- Drupal Core 7.x prior to 7.74
- Drupal Core 8.8.x prior to 8.8.11, 8.9.x prior to 8.9.9
- Drupal Core 9.0.x prior to 9.0.8 (also affecting Fedora 32 and 33 packages)
Discovery Timeline
- 2020-11-20 - CVE-2020-13671 published to NVD alongside the Drupal Security Advisory SA-CORE-2020-012
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2020-13671
Vulnerability Analysis
The vulnerability resides in Drupal core's file upload handling logic. Drupal failed to strip or sanitize certain dangerous filename patterns before storing uploaded files. Attackers can submit files with double extensions or trailing characters such as malicious.php.txt or shell.phar.jpg. Web servers configured to interpret the leftmost recognized extension can execute these files as PHP. Successful exploitation grants the attacker code execution in the context of the web server process.
The attack requires network access and low-privileged authentication, with no user interaction. Because Drupal supports numerous upload entry points — including user avatars, media library uploads, and custom forms — the attack surface is broad. Sites running Apache with mod_php or misconfigured handler directives are most exposed.
Root Cause
The root cause is incomplete filename sanitization in Drupal's file_munge_filename() and related upload validation routines. The sanitization logic did not consistently rewrite or reject filenames containing intermediate dangerous extensions. As a result, files passed validation while retaining executable extension components that Apache or other web servers would honor at request time.
Attack Vector
An authenticated attacker locates any form or endpoint that accepts file uploads. The attacker crafts a payload file whose name contains a PHP-related extension followed by an allowed extension, such as payload.php.gif. After upload, the attacker requests the file URL directly. On vulnerable hosting configurations, the server interprets the PHP component and executes embedded code, returning shell output or pivoting to deeper system access. See the Drupal Security Advisory SA-CORE-2020-012 for the canonical technical write-up.
Detection Methods for CVE-2020-13671
Indicators of Compromise
- Files in Drupal's public files directory with double extensions such as .php.jpg, .phar.txt, or .phtml.png
- Unexpected PHP processes spawned by the web server user following file upload events
- Outbound network connections from the web server to attacker-controlled infrastructure shortly after upload activity
- Modified or newly created .htaccess files inside sites/default/files/
Detection Strategies
- Audit Drupal upload logs and the file_managed database table for filenames containing multiple extension segments
- Inspect web server access logs for direct GET or POST requests to files inside /sites/default/files/ with executable extensions in the path
- Run filesystem integrity checks against the Drupal webroot to identify unauthorized PHP files
Monitoring Recommendations
- Enable verbose logging on file upload modules and forward events to a centralized SIEM
- Alert on process creation where the web server user spawns shells (sh, bash, python) as a child of php-fpm or httpd
- Monitor for new file writes to upload directories where filenames contain .php, .phar, .phtml, or .pht substrings
How to Mitigate CVE-2020-13671
Immediate Actions Required
- Upgrade Drupal core immediately to 7.74, 8.8.11, 8.9.9, or 9.0.8 depending on your branch
- Audit the sites/default/files/ directory for any files with suspicious double extensions and quarantine them
- Review user accounts with upload privileges and rotate credentials for any account showing anomalous activity
- Apply Fedora package updates referenced in the Fedora Package Announcement
Patch Information
The Drupal Security Team released fixes in Drupal 7.74, 8.8.11, 8.9.9, and 9.0.8. The patch rewrites filename sanitization to insert an underscore before dangerous intermediate extensions, ensuring web servers cannot interpret them as executable. Refer to the Drupal Security Advisory SA-CORE-2020-012 for upgrade instructions and the CISA Known Exploited Vulnerabilities Catalog for federal remediation deadlines.
Workarounds
- Configure the web server to refuse execution of PHP files within upload directories using directives such as php_flag engine off or location-based handler removal
- Restrict file upload permissions to trusted roles only until patches are deployed
- Deploy a web application firewall rule that blocks requests to upload paths containing multiple extension segments
# Apache configuration to disable PHP execution in Drupal upload directories
<Directory "/var/www/drupal/sites/default/files">
php_flag engine off
<FilesMatch "\.(php|phar|phtml|pht)\.">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
