Note
This release is part of our monthly security release series. Find out more about those releases and their background on our website: https://getkirby.com/buzz/security-update
🚨 Security
Access to image files and limited access to JSON files outside of the site root via path traversal in the media handling
This vulnerability affects all Kirby sites that are deployed to a server that allows to request URLs with encoded slashes (%2f) such as nginx, the built-in PHP server or Apache setups that have the option AllowEncodedSlashes enabled.
It was possible to create and access thumbnails from media files in arbitrary accessible directories on the server that have a valid thumbnail configuration (JSON job file). It was also possible to detect the presence of files with the .json file extension anywhere on the server.
This vulnerability is of high severity for affected sites.
Server setups running on Apache's default configuration or other servers that have been hardened against encoded slashes in URLs are not affected.
- CVE ID: pending
- Severity: high (CVSS score 8.2)
- Advisory: GHSA-9vx2-j98c-p72w
Thanks to Jorge González Milla (@Pig-Tail) for responsibly reporting the identified issue.
File upload permissions are not checked during processing of chunk data
This vulnerability affects all Kirby sites where users of a particular role have access to the REST API (access.panel permission is enabled) but no permission to upload any kind of file (files.create, files.replace and user/users.update permissions are all disabled).
It was possible to fill up the temporary directory for chunked uploads with unfinished chunks even as a user without any upload permission.
This vulnerability is of high severity for affected sites.
Your Kirby sites are not affected if you intend all users of your site to be able to upload files. The vulnerability can only be exploited by authenticated users. It was not possible to bypass the actual permission checks for any files that end up in the content or site/accounts folders.
- CVE ID: pending
- Severity: high (CVSS score 7.1)
- Advisory: GHSA-67mx-6wf2-92xp
Thanks to @alcls01111 for responsibly reporting the identified issue.
System path exposure from error messages in the REST API
This vulnerability affects all Kirby sites that have not disabled the REST API with the 'api' => false option.
It was possible to trigger a PHP error in the API backend that would expose the full filesystem path of the Kirby installation on the server. This could be used to guess the default content.salt or prepare specialized attacks.
- CVE ID: pending
- Severity: moderate (CVSS score 6.9)
- Advisory: GHSA-rf2p-vh74-7vvh
Thanks to Peter Levashov (@petersevera) for responsibly reporting the identified issue.
Access to image files outside of the site root via path traversal in the media handling
This vulnerability affects all Kirby sites that are deployed in a way that their index root on the server is next to a second directory that is read-accessible to PHP and shares the same name prefix (such as the site with the index root /var/www/site being next to /var/www/site2).
It was possible to create and access thumbnails from media files within such sibling directories that have a valid thumbnail configuration (JSON job file). This can affect staging sites, site backups or other internal sites.
- CVE ID: pending
- Severity: moderate (CVSS score 6.9)
- Advisory: GHSA-6j4c-mgqr-qv76
Thanks to @0x1saac for responsibly reporting the identified issue.
🚨 Security fixes
Kirby\Filesystem\Dir::realpath()/Kirby\Filesystem\F::realpath(): Fixed path traversal via prefix match. Now requires an exact match or aDIRECTORY_SEPARATORboundary.Kirby\Cms\Media::thumb(): Rejects path traversals via filenames- The
Assetclass andasset()helper no longer accept paths with../sequences to protect against path traversal - API: Disguise errors file paths in debug mode. When not in debug mode, only show a generic error.
- Chunked file uploads now verify the user's upload permission before any data is written, so users who are not allowed to upload can no longer leave partial files behind in
site/cache/.uploads. - Chunked uploads now enforce the file template's
maxsizeconsistently across all chunks and reject requests that change the file template or total upload length between chunks.
🐛 Bug fixes
- Fixed site preview URL adhering to
site.previewpermission as well aspages.previewpermission/option for the home page - Fixed
ModelPermissions::canFromCache()handling of$defaultargument, incl. proper caching of it - Localize the "Invalid form with errors" save toast to the Panel language #8278
☠️ Deprecated
- For the site preview, currently the home page preview permission is checked alongside
site.preview. The check for the home pagepages.previewpermission has been deprecated and will be removed in the next major release. Please use thesite.previewpermission.