Listen to this Post
How the CVE Works
The vulnerability exploits Kirby’s `router.php` when using PHP’s built-in server. Attackers leverage path traversal sequences (../) to bypass document root restrictions and access files outside the intended directory. The router improperly delegates requests to PHP, allowing attackers to probe for file existence via differential server responses. While file contents aren’t executed or exposed, the flaw reveals sensitive file paths and system structure. Patches enforce document root validation, blocking traversal attempts.
DailyCVE Form
Platform: Kirby CMS
Version: <3.9.8.3, <3.10.1.2, <4.7.1
Vulnerability: Path Traversal
Severity: Medium
Date: 2024-04-15
What Undercode Say:
Exploit:
1. Craft a malicious URL with `../` sequences:
http://localhost:8000/../../../etc/passwd
2. Observe HTTP responses (404 vs. 200) to confirm file existence.
Detection:
curl -v "http://target/router.php?../../../config.php"
Mitigation:
1. Update Kirby to patched versions.
2. Replace PHP’s built-in server with Apache/nginx:
<Directory /var/www/kirby> Require all denied AllowOverride None </Directory>
3. Add manual path sanitization in `router.php`:
$path = realpath($requestedPath);
if (strpos($path, DOCUMENT_ROOT) !== 0) {
die("Invalid path");
}
Log Analysis:
grep "../" /var/log/apache2/access.log
PHP Hardening:
Disable dangerous functions in `php.ini`:
disable_functions = "exec,passthru,shell_exec"
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
