There are good days and then there are days when we get vulnerability reports.
We received a report yesterday that phar files can be uploaded in the Panel. We have all kinds of security checks for file uploads, but have to admit that phar files slip through those checks. phar files are basically PHP files and can be executed on the server. This is critical when you cannot fully trust your editor team in the Panel. Frontend users have no way to abuse this attack vector. It is only available for logged in users with permissions to upload files. An example would be a rouge team member in your company who just got fired and is now trying to take your site down as revenge before they loose access.
@lukasbestle instantly worked on a fix for v3 and I also created a fix for v2, which had the same issue. This security patch is now available in Kirby 3.4.5 https://github.com/getkirby/kirby/releases/tag/3.4.5 and Kirby 2.5.14 https://github.com/getkirby-v2/panel/releases/tag/2.5.14
We decided to release a fix for Kirby 2 as well although we are going to drop security support on December 31st. But we don’t want to leave this version with a known vulnerability.
Updates can be done in the same way as always:
v3: replace your kirby folder
v2: replace your kirby and panel folders
We are really sorry for this issue! We know how busy the last weeks of the year are for everyone and the last thing you need is a security update.