Kirby CMS 2.1.0 CSRF / Shell Upload
Posted on 17 September 2015
============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: High ============================================= I. VULNERABILITY ------------------------- Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution II. BACKGROUND ------------------------- - Kirby CMS "Kirby is a file‑based CMS Easy to setup. Easy to use. Flexible as hell." http://getkirby.com/ III. INTRODUCTION ------------------------- KirbyCMS has a vulnerability that allows to upload normally disallowed PHP script files. This issue can only be exploited by authenticated users, however admin role is not required. Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery (CSRF) - which may allow attackers to perform file upload actions on behalf of an already authenticated KirbyCMS users, if an attacker manages to trick them into visiting a specially-crafted website. This issue can allow an unauthorised attacker to modify or upload new content. Both of the issues can be combined to execute arbitrary PHP code on the remote server hosting KirbyCMS, if a logged-in victim visits a malicious page containing an exploit crafted by an attacker. IV. PHP Code Execution ------------------------- KirbyCMS allows to upload content to both admin and a low privileged editor users who can access the control panel. The upload feature allows to upload images and other media files which can be referenced within the content once uploaded. KirbyCMS performs the following validation before saving an uploaded file to prohibit risky uploads: ---[ panel/app/controllers/api/files.php ]--- protected function checkUpload($file, $blueprint) { if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) { throw new Exception('Content files cannot be uploaded'); } else if(strtolower($file->extension()) == 'php' or in_array($file->mime(), f::$mimes['php'])) { throw new Exception('PHP files cannot be uploaded'); } else if(strtolower($file->extension()) == 'html' or $file->mime() == 'text/html') { throw new Exception('HTML files cannot be uploaded'); ... } --------------------------------------------- As we can see it prevents uploading PHP files by checking if an uploaded file has a '.php' extension, or if the discovered MIME type of the file has been evaluated to PHP. KirbyCMS throws an exception and stops further processing if either of the conditions is true. Unfortunately, both of the checks can easily be bypassed on multiple server configurations. As many server configurations such as Ubuntu, or Debian, process several file extensions as PHP scripts, e.g.: .php, .php4, .php5. The extension check can for example be evaded by simply uploading a malicious file with the '.php4' extension. The MIME type check can also be easily bypassed by preceding the <?php script tags with <?xml tags , to trick the MIME detector into recognising the malicious file as XML thus passing the check (mime['php'] != mime['xml']). As the upload directory is not set to disable script execution by default, bypassing the checks allows to upload arbitrary PHP scripts and execute them on the remote server hosting a vulnerable KirbyCMS installation. V. CSRF ------------------------- Media files are only meant to be uploaded by authenticated users such as editors or site administrators. However, KirbyCMS's upload function does not protect against cross-site request forgery by including a special CSRF token to verify the source of the request. As a result, an attacker can prepare a specially-crafted webpage which will upload a malicious file to the remote KirbyCMS site without user's permission, if the attacker manages to trick the logged-in victim into visiting his page. VI. PROOF OF CONCEPT ------------------------- Both of the issues described above can be combined to prepare a malicious page which uploads an arbitrary PHP file as soon as a victim authenticated into KirbyCMS visits the page. An malicious CSRF html page could send a request similar to the following: POST /kirby/panel/api/files/upload/about HTTP/1.1 Host: victim_kirby_server Content-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822 Content-Length: 261 Origin: null Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00... -----------------------------4679830631250006491995140822 Content-Disposition: form-data; name="file"; filename="kirbyexec.php5" Content-Type: application/x-php <?xml > <?php phpinfo(); ?> -----------------------------4679830631250006491995140822-- uploading the file as a result into the: kirby/content/1-about directory on the server. The malicious file can then be accessed via the URL: http://victim_kirby_server/kirby/content/1-about/kirbyexec.php5 Once opened, phpinfo() page should be loaded. VII. BUSINESS IMPACT ------------------------- By combining the two issues an attacker could execute arbitrary PHP code on the remote server without any authentication to gain full control over the website using a vulnerable KirbyCMS. VIII. SYSTEMS AFFECTED ------------------------- The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable. To exploit the PHP script execution vulnerability the webserver must be configured to process files as PHP with extensions other than .php. Ubuntu and Debian systems fulfill this condition. There might be more systems which are configured in this way by default, or have been reconfigured to do so. To gain access to the control panel and upload a malicious PHP file, an attacker may be able to exploit a separate, Authentication Bypass issue also discovered by Dawid Golunski, described in a separate document. IX. SOLUTION ------------------------- Upgrade to the patched version 2.1.1 released by the vendor upon this advisory. X. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/KirbyCMS-CSRF-PHP-File-Upload-Vulnerability.txt http://getkirby.com/ http://seclists.org/fulldisclosure/2015/Sep/index.html http://www.securiteam.com/ XI. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XII. REVISION HISTORY ------------------------- 14.09.2015 - Final XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.