2.1.2 – Security Update

While still working on fixing the last bugs for 2.2 I got an email today from a Japanese Security research group, which reported a small vulnerability in the panel. (CVE-2015-7773 reported by Mr. Yuji Tounai of NTT Com Security(Japan)KK)

I wanted to let you all know about the issue and also submit a fix a s soon as possible and not wait for 2.2 to fix this.

To reproduce the vulnerability a logged in user has to upload a PHP file without extension in the Panel. This only works when the browser and/or server does not handle mime type detection properly. Otherwise the PHP file won’t be uploadeable even without the extension.

As soon as the file without the extension is on the server the user can then rename the file in the Panel file editor and attach .php to the filename. This will unfortunately not be stripped by the panel and the PHP file can then be used via URL to execute code on the server.

2.1.2 fixes this issue in two steps:

  • files without extension are no longer being accepted by the panel. There is no reason why you should be able to do that anyway.
  • it’s no longer possible to attach an extension to a filename by renaming it with the Panel.

You can read the full details about the release here: http://getkirby.com/changelog/kirby-2-1-2

I try to be as fast as possible with such fixes. The report got in tonight at 3:20am and I started working on it immediately as soon as I entered the office.

If you should find any security issues yourself, please send any reports to me immediately: bastian@getkirby.com
Whenever possible, please encrypt your email. You can find my public key here: https://keybase.io/bastianallgeier/key.asc Avoid posting security concerns directly in the forum. It’s not about harming Kirby, but about harming other users. I will take care of any issues as fast as I can.

β€” Bastian