Skip to content

5.5.2

Latest

Choose a tag to compare

@bastianallgeier bastianallgeier released this 15 Jul 08:03
81689c7

Note

This release is part of our monthly security release series. Find out more about those releases and their background on our website: https://getkirby.com/buzz/security-update

🚨 Security

Access to image files and limited access to JSON files outside of the site root via path traversal in the media handling

This vulnerability affects all Kirby sites that are deployed to a server that allows to request URLs with encoded slashes (%2f) such as nginx, the built-in PHP server or Apache setups that have the option AllowEncodedSlashes enabled.

It was possible to create and access thumbnails from media files in arbitrary accessible directories on the server that have a valid thumbnail configuration (JSON job file). It was also possible to detect the presence of files with the .json file extension anywhere on the server.

This vulnerability is of high severity for affected sites.

Server setups running on Apache's default configuration or other servers that have been hardened against encoded slashes in URLs are not affected.

Thanks to Jorge González Milla (@Pig-Tail) for responsibly reporting the identified issue.

File upload permissions are not checked during processing of chunk data

This vulnerability affects all Kirby sites where users of a particular role have access to the REST API (access.panel permission is enabled) but no permission to upload any kind of file (files.create, files.replace and user/users.update permissions are all disabled).

It was possible to fill up the temporary directory for chunked uploads with unfinished chunks even as a user without any upload permission.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you intend all users of your site to be able to upload files. The vulnerability can only be exploited by authenticated users. It was not possible to bypass the actual permission checks for any files that end up in the content or site/accounts folders.

Thanks to @alcls01111 for responsibly reporting the identified issue.

System path exposure from error messages in the REST API

This vulnerability affects all Kirby sites that have not disabled the REST API with the 'api' => false option.

It was possible to trigger a PHP error in the API backend that would expose the full filesystem path of the Kirby installation on the server. This could be used to guess the default content.salt or prepare specialized attacks.

Thanks to Peter Levashov (@petersevera) for responsibly reporting the identified issue.

Access to image files outside of the site root via path traversal in the media handling

This vulnerability affects all Kirby sites that are deployed in a way that their index root on the server is next to a second directory that is read-accessible to PHP and shares the same name prefix (such as the site with the index root /var/www/site being next to /var/www/site2).

It was possible to create and access thumbnails from media files within such sibling directories that have a valid thumbnail configuration (JSON job file). This can affect staging sites, site backups or other internal sites.

Thanks to @0x1saac for responsibly reporting the identified issue.

🚨 Security fixes

  • Kirby\Filesystem\Dir::realpath()/Kirby\Filesystem\F::realpath(): Fixed path traversal via prefix match. Now requires an exact match or a DIRECTORY_SEPARATOR boundary.
  • Kirby\Cms\Media::thumb(): Rejects path traversals via filenames
  • The Asset class and asset() helper no longer accept paths with ../ sequences to protect against path traversal
  • API: Disguise errors file paths in debug mode. When not in debug mode, only show a generic error.
  • Chunked file uploads now verify the user's upload permission before any data is written, so users who are not allowed to upload can no longer leave partial files behind in site/cache/.uploads.
  • Chunked uploads now enforce the file template's maxsize consistently across all chunks and reject requests that change the file template or total upload length between chunks.

🐛 Bug fixes

  • Fixed site preview URL adhering to site.preview permission as well as pages.preview permission/option for the home page
  • Fixed ModelPermissions::canFromCache() handling of $default argument, incl. proper caching of it
  • Localize the "Invalid form with errors" save toast to the Panel language #8278

☠️ Deprecated

  • For the site preview, currently the home page preview permission is checked alongside site.preview. The check for the home page pages.preview permission has been deprecated and will be removed in the next major release. Please use the site.preview permission.