Kirby CMS multi-vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201566783
Type myhack58
Reporter 佚名
Modified 2015-09-10T00:00:00


Kirby CMS is an easy to use, easy to install and setup is very flexible CMS system, no database support, the use of file system storage. Support Markdown grammar, templates and plug-ins. Vulnerability details In Kirby CMS found two vulnerabilities: 1. By path traversal authentication bypass 2. The CSRF upload and PHP script execution By path traversal authentication bypass KirbyCMS which has a vulnerability that allows attacker to save/read a hosted environment directory contents. Due to the KirbyCMS is a file-based content management system, in the accounts directory, it also stores the authentication data file, each user has its belongs to its own password file, named something like: kirby/site/accounts/[username]. php At the login screen, KirbyCMS reference the password file to verify the password hash. In this process, it can not verify that the generated path, and that does not contain the traversal path in the sequence, such as that provided by the user login variable in the‘../’ This will cause it to generate a path traversal vulnerability, if the attacker for the same multi-user hosting environment then you can bypass authentication, and the/tmp and other common directories written to the file. The exploit code exists in the kirby/core/user. php file: abstract class UserAbstract { protected $username = null; protected $cache = array(); protected $data = null; public function __construct($username) { $this->username = str::lower($username); // check if the account file exists if(! file_exists($this->file())) { throw new Exception('The user account could not be found'); } ... } protected function file() { return kirby::instance()->roots()->accounts() . DS . $this->username() . '. php'; } In addition, we try to bypass the authentication when found KirbyCMS allowed to pass through HTTP Protocol for authentication, and the authentication session has not ended. Proof-of-concept KirbyCMS the credentials in a PHP file is saved in the kirby/site/accounts directory, to prevent the server through the network to directly access content. The credentials file like this: php if(! defined('KIRBY')) exit ?& gt; username: victim email: password: > $2a$1 0$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5Kbnfkocklajznvdu7iuqpc language: en role: admin A bit has the same hosting environment account of the attacker in order to bypass the authentication, the above credentials the content including the encrypted password hash written to a public directory, 比如/tmp/bypassauth.php Due to the path traversal vulnerability, an attacker can use these credentials as the administrator, log( Username: ../../../../../../../../tmp/bypassauth Password: trythisout Will then generate a HTTP POST request, similar to: POST /kirby/panel/login HTTP/1.1 Host: victim_kirby_site Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6... Content-Length: 1 4 9 username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1... This will cause the KirbyCMS from path/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php loaded credentials. Finally, the attacker can obtain the following response: class="hgroup hgroup-single-line cf"> class="hgroup-title"> href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account class="hgroup-options shiv shiv-dark shiv-left"> Successfully get to KirbyCMS management panel admin permissions The CSRF upload and PHP script execution KirbyCMS there is a vulnerability allowing to upload usually does not allow the PHP script file, this drain can only be had through the authentication of the user using the, and administrator privileges are not required. In addition, KirbyCMS there is another vulnerability--CSRF-site request forgery if an attacker convinces a user to visit a phishing site, which may lead the attacker to use an already authenticated user to perform file upload operation. This will cause an unauthenticated attacker to modify or upload content. The combination of these two vulnerabilities, we can execute arbitrary PHP code. PHP script execution KirbyCMS in addition to allows administrators to upload content, but also can run into the admin backend of low-privilege users to upload content. The upload function allows to upload images and other media files. KirbyCMS in to save the uploaded file before performing the following filtering operation: protected function checkUpload($file, $blueprint) { if(via strtolower($file->extension()) == kirby()->option('the content. file. extension', 'txt')) { throw new Exception('Content files cannot be uploaded'); } else if(via strtolower($file->extension()) == 'php' or in_array($file->mime(), f::$mimes['php'])) { throw new Exception('PHP files cannot be uploaded'); } else if(via strtolower($file->extension()) == 'html' or $file->mime() == 'text/html') { throw new Exception('the HTML files cannot be uploaded'); ... } We can see its detecting PHP files, just look at the file's suffix name is“. PHP”, or if you find a file's MIME type is defined for the PHP. If these two conditions are met, KirbyCMS will stop the upload function. Unfortunately, the two detection options are very easy to bypass. A lot of server configuration, for example Ubuntu or Debian the PHP script suffix can be:. php, . php4, . php5 is. Simply place a malicious PHP script suffix was changed to. php4, . php5 can be bypassed. MIME-type detection only in the

[1] [2] next