Listen to this Post
How the CVE Works
The vulnerability in Kirby’s `collection()` helper and `$kirby->collection()` method allows path traversal attacks when dynamic collection names are used. Attackers can manipulate the input with sequences like `../` to escape the restricted `site/collections` directory. This enables arbitrary file read and PHP code execution on the server. The issue arises due to insufficient path sanitization, letting attackers access sensitive files (e.g., configs, tokens) or execute unintended scripts. Fixed versions enforce path containment checks.
DailyCVE Form
Platform: Kirby CMS
Version: <3.9.8.3, <3.10.1.2, <4.7.1
Vulnerability: Path Traversal
Severity: Critical
Date: 2024-04-10
What Undercode Say:
Exploit:
1. Craft a malicious request with `../` sequences:
collection('../../etc/passwd');
2. Use fuzzing to find dynamic collection calls:
ffuf -u "https://target.com/?col=FUZZ" -w traversal.txt
3. Extract PHP files:
collection('../../../config.php');
Protection:
1. Update Kirby to patched versions.
2. Sanitize dynamic inputs:
$col = basename($_GET['col']); collection($col);
3. Restrict PHP process permissions:
chown www-data:www-data /var/www/html -R
4. Add `.htaccess` deny rules:
<FilesMatch "\.(php|inc)$"> Require all denied </FilesMatch>
5. Log suspicious requests:
if (str_contains($input, '../')) {
error_log("Path traversal attempt: $input");
}
Analytics:
- Attack Vector: Remote, low complexity.
- Prerequisites: Dynamic collection name usage.
- CVSS: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
References:
- Kirby Patch Notes: [bash]
- CVE Details: [MITRE Entry]
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
