Very important security issue - most kirby website could be vulnerable to this attack

Kirby 2 Issues šŸ›
1

FOR EDUCATIONAL PURPOSES ONLY!!! :smile:

THIS ISSUE IS RELATED TO HACKING NOT JUST KIRBY BUT THE WHOLE WEBSITE INCLUDING FTP AND CPANELā€¦ THIS IS DUE TO THE HTACCESS RULES THAT ISNT SUPPORTED ON ALL WEBSERVERā€¦ PLEASE READ CAREFULLY; I EXPLAINED IT WELL. BUT PLEASE ASK QUESTIONS IF YOU HAVEā€¦

Actually, Bastian is right. No software is 100% secure. There must me some small holes that can be used to peek-in a little bit, and in that little hole you can get ALL or NOTHINGā€¦ AND I JUST HAPPENED TO DISCOVER A SMALL HOLE THAT PROVES IT, THOUGH ONLY PRESENT ON SOME SERVERS; maybe this is because of server misconfiguration, but anyways let me share this with youā€¦

First let me introduce you these 3 htaccess rules in the starterkit.

RewriteRule ^content/(.*)\.(txt|md|mdown)$ error [R=301,L]

RewriteRule ^site/(.*) error [R=301,L]

RewriteRule ^kirby/(.*) error [R=301,L]

The goal of these rules is to redirect you to the not found page if you tried to open or view the txt/md/mdown files and site/kirby directoriesā€¦

EXAMPLE:
you requested to access url http://www.example.com/content/site.txt in your browser, but those htaccess rules are blocking them so it should instead redirect you to url http://www.example.com/error.

##FEELING SAFE?
On the other hand, many webservers nowadays are misconfigured or shall we say does not support those 3 htaccess rules completelyā€¦ in most cases, incompatibility reveal the full root directory location (IF MY TERMS WERE RIGHT)ā€¦ So it should show something like /home/usr****/public_html/error** in the urlā€¦

##Just Directory? No Big Deal!
Itā€™s not just about directories. Most webservers (especially shared webserver/hosting) uses your username(can be an ftp username) as part of the locationā€¦

EXAMPLE:
/home/ USERNAME_HERE /public_html/

PROOF:
You requested to access url http://www.example.com/content/site.txt in your browser, but those incompatible htaccess rules are blocking them so it instead redirects you to url http://www.example.com/home/usr****/public_html/error**.

So hackers donā€™t have to worry about the ftp username, the only thing they have to worry about is the ftp passwordā€¦ Anyway TRIAL AND ERROR is not a big problem especially if the ownerā€™s ftp password is weakā€¦

I managed to hack a website in the SHOWCASE page with full ftp access + his ftp and cpanel username and password are the same THEN I GOT COMPLETE ACCESS TO THE WHOLE WEBSITE AS IF I WAS THE OWNERā€¦ Good thing I am a good guy, I didnā€™t touched anythingā€¦

I was so nervous because itā€™s my first time to hack a website with complete accessā€¦

PS: DONT ASK THE WEBSITE, I WONT TELL YOU ANYWAYā€¦

1 Like
2

Yeah same story on DigitalOcean on default LAMP installation. Thanks :+1:
P.S. even on MAMP

3

Thanks for sharing ā€¦ but what can I do against this?

4

Iā€™m not a server admin, but there are some obvious things that should be respected:

  • Check if your installation works as it should
  • Block FTP access if you do not need it
  • Never use the same user name and password for different services
  • Make sure your FTP username is not the same as the user revealed in the path
  • Always make a backup of your site in case it gets hacked
  • If possible, use a dedicated server that gives you more control (although you should know what your are doing)
  • thereā€™s probably more ā€¦
5

How to fix this depends on your hosting provider. Generally you could try setting the RewriteBase in the .htaccess. That can sometimes already be enough.

1 Like
6

@texnixe: Thanks for your notes

@lukasbestle: i already tried this but without success ā€¦

7

The other change you can try is to add a slash in front of error in the lines that block content/site/core access:

RewriteRule ^content/(.*)\.(txt|md|mdown)$ /error [R=301,L]
RewriteRule ^site/(.*) /error [R=301,L]
RewriteRule ^kirby/(.*) /error [R=301,L]

Of course this only works if Kirby is not installed in a subdirectory. Otherwise you need to add the subdirectory path as well.

2 Likes
8

I am very sorry for not responding immediately for I had my tooth extractedā€¦

Actually I have already found the fix and implemented it in my site just before I posted this threadā€¦ But unfortunately I forgot to include it as my tooth was aching on that momentā€¦ Iā€™m glad to have @lukasbestle answered your questions guysā€¦ And thank you for opening the issue in GitHubā€¦

9

Iā€™m super sorry for this! It never occurred to me that this could happen at all. Iā€™m currently working on a solution and appreciate any second look at it: https://github.com/getkirby/kirby/issues/302#issuecomment-144443969

10

Thanks ā€¦ but that didnā€™t work too :frowning:

11

Please try the solution on Github and let me know if that works for you. Worked in all my tests so far.

12

It works but only when I add

RewriteBase /

too. Without that the issue is still the same ā€¦ let me know if I can provide further information for any help!

13

Works for me on shared hosting at OVH.

Please note: you may have to empty your cache and possibly also cookies for this fix to take effect.

14

I just re-released all 2.1.1 kits and changed the htaccess file in the downloadable package. I also posted an article with instructions how to change the htaccess settings in order to fix this issue: http://getkirby.com/blog/check-your-rewrite-base