SB2020120235 - Multiple vulnerabilities in Kirby

Description

This security bulletin contains information about 2 vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2020-26255)

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to unrestricted upload of file with dangerous type in content file upload handling when uploading a PHP Phar archive as a content file through the Panel. A remote user can upload a crafted .phar file to execute arbitrary code on the server.

Only authenticated Panel users with full access to the Kirby Panel can exploit this issue, and visitors without Panel access cannot use this attack vector.

2) External Initialization of Trusted Variables or Data Stores (CVE-ID: CVE-2020-26253)

The vulnerability allows a remote attacker to register the first panel account and gain administrative access.

The vulnerability exists due to external initialization of trusted variables or data stores in the panel installation block when determining whether the site is local on .dev domains or behind some reverse proxy setups. A remote attacker can access the panel registration flow before the legitimate administrator to register the first panel account and gain administrative access.

Exploitation is only possible if no panel account has been created yet.

Remediation

Install update from vendor's website.

References

• https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw
• https://github.com/advisories/GHSA-g3h8-cg9x-47qw
• https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv
• https://github.com/advisories/GHSA-2ccx-2gf3-8xvv