Kirby CMS 2.1.0 CSRF / Shell Upload

Type packetstorm
Reporter Dawid Golunski
Modified 2015-09-16T00:00:00


- Release date: 14.09.2015  
- Discovered by: Dawid Golunski  
- Severity: High  
Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution  
- Kirby CMS  
"Kirby is a file‑based CMS  
Easy to setup. Easy to use. Flexible as hell."  
KirbyCMS has a vulnerability that allows to upload normally disallowed PHP  
script files.  
This issue can only be exploited by authenticated users, however admin role  
is not required.  
Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery  
(CSRF) - which may allow attackers to perform file upload actions on behalf  
of an already authenticated KirbyCMS users, if an attacker manages to trick  
them into visiting a specially-crafted website.  
This issue can allow an unauthorised attacker to modify or upload new content.  
Both of the issues can be combined to execute arbitrary PHP code on the  
remote server hosting KirbyCMS, if a logged-in victim visits a malicious page  
containing an exploit crafted by an attacker.  
IV. PHP Code Execution  
KirbyCMS allows to upload content to both admin and a low privileged editor  
users who can access the control panel.  
The upload feature allows to upload images and other media files which can  
be referenced within the content once uploaded.  
KirbyCMS performs the following validation before saving an uploaded file  
to prohibit risky uploads:  
---[ panel/app/controllers/api/files.php ]---  
protected function checkUpload($file, $blueprint) {  
if(strtolower($file->extension()) ==  
kirby()->option('content.file.extension', 'txt')) {  
throw new Exception('Content files cannot be uploaded');  
} else if(strtolower($file->extension()) == 'php' or  
in_array($file->mime(), f::$mimes['php'])) {  
throw new Exception('PHP files cannot be uploaded');  
} else if(strtolower($file->extension()) == 'html' or  
$file->mime() == 'text/html') {  
throw new Exception('HTML files cannot be uploaded');  
As we can see it prevents uploading PHP files by checking if an uploaded file  
has a '.php' extension, or if the discovered MIME type of the file has been  
evaluated to PHP. KirbyCMS throws an exception and stops further processing  
if either of the conditions is true.  
Unfortunately, both of the checks can easily be bypassed on multiple server  
As many server configurations such as Ubuntu, or Debian, process several  
file extensions as PHP scripts, e.g.: .php, .php4, .php5.  
The extension check can for example be evaded by simply uploading a malicious  
file with the '.php4' extension.  
The MIME type check can also be easily bypassed by preceding the <?php script  
tags with <?xml tags , to trick the MIME detector into recognising  
the malicious file as XML thus passing the check (mime['php'] != mime['xml']).  
As the upload directory is not set to disable script execution by default,  
bypassing the checks allows to upload arbitrary PHP scripts and execute them  
on the remote server hosting a vulnerable KirbyCMS installation.  
Media files are only meant to be uploaded by authenticated users such  
as editors or site administrators.  
However, KirbyCMS's upload function does not protect against  
cross-site request forgery by including a special CSRF token to verify  
the source of the request.  
As a result, an attacker can prepare a specially-crafted webpage which will  
upload a malicious file to the remote KirbyCMS site without user's permission,  
if the attacker manages to trick the logged-in victim into visiting his page.  
Both of the issues described above can be combined to prepare a malicious page  
which uploads an arbitrary PHP file as soon as a victim authenticated  
into KirbyCMS visits the page.  
An malicious CSRF html page could send a request similar to the following:  
POST /kirby/panel/api/files/upload/about HTTP/1.1  
Host: victim_kirby_server  
Content-Type: multipart/form-data;  
Content-Length: 261  
Origin: null  
Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00...  
Content-Disposition: form-data; name="file"; filename="kirbyexec.php5"  
Content-Type: application/x-php  
<?xml >  
uploading the file as a result into the: kirby/content/1-about  
directory on the server.  
The malicious file can then be accessed via the URL:  
Once opened, phpinfo() page should be loaded.  
By combining the two issues an attacker could execute arbitrary PHP code  
on the remote server without any authentication to gain full control over  
the website using a vulnerable KirbyCMS.  
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.  
To exploit the PHP script execution vulnerability the webserver must be  
configured to process files as PHP with extensions other than .php.  
Ubuntu and Debian systems fulfill this condition. There might be more systems  
which are configured in this way by default, or have been reconfigured to  
do so.  
To gain access to the control panel and upload a malicious PHP file, an  
attacker may be able to exploit a separate, Authentication Bypass issue also  
discovered by Dawid Golunski, described in a separate document.  
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.  
The vulnerability has been discovered by Dawid Golunski  
dawid (at) legalhackers (dot) com  
14.09.2015 - Final  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this information.