Install the latest version:
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Auditing your files directory’s .htaccess
to ensure it has not been overwritten or overridden in a subdirectory
If your web server uses Apache httpd with AllowOverride
, you should check within your files directories and subdirectories to ensure that any .htaccess
files present are intentional. You can search for files named .htaccess
by running the following command in the roots of both your public and private files directory:
find ./ -name ".htaccess" -print
Drupal automatically creates .htaccess
files like the following in the root of the public files directory:
# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>
Check with your system administrator for the correct .htaccess
configuration for the given files directory.
This advisory is not covered by Drupal Steward.