Hey everyone,
while we work on the last steps for the next v5 release (expected to arrive later this week) we have a set of security releases that we need to get out to you.
Kirby 4.7.1
https://github.com/getkirby/kirby/releases/tag/4.7.1
Kirby 3.10.12
https://github.com/getkirby/kirby/releases/tag/3.10.1.2
Kirby 3.9.8.3
https://github.com/getkirby/kirby/releases/tag/3.9.8.3
Those releases fix three path traversal issues:
- https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp
- https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg
- https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h
TL;DR
The first two vulnerabilities only affect Kirby sites that call the snippet() or collection() helpers with dynamic name values. E.g. snippet('category-' . get('category')) that could be controlled by an attacker (via the URL query in this case). Sites that only use fixed calls to the snippet() or collection() helpers (i.e. calls with a simple string for the snippet/collection name) are not affected.
The last vulnerability only affects Kirby setups that use PHP’s built-in server. Such setups are commonly only used during local development.
You can read more about the vulnerabilities and their impact in the security advisories linked above.
If you are using such dynamic snippet or collection calls, we really urge you to update immediately.