Very important security issue - most kirby website could be vulnerable to this attack

FOR EDUCATIONAL PURPOSES ONLY!!!

THIS ISSUE IS RELATED TO HACKING NOT JUST KIRBY BUT THE WHOLE WEBSITE INCLUDING FTP AND CPANEL… THIS IS DUE TO THE HTACCESS RULES THAT ISNT SUPPORTED ON ALL WEBSERVER… PLEASE READ CAREFULLY; I EXPLAINED IT WELL. BUT PLEASE ASK QUESTIONS IF YOU HAVE…

Actually, Bastian is right. No software is 100% secure. There must me some small holes that can be used to peek-in a little bit, and in that little hole you can get ALL or NOTHING… AND I JUST HAPPENED TO DISCOVER A SMALL HOLE THAT PROVES IT, THOUGH ONLY PRESENT ON SOME SERVERS; maybe this is because of server misconfiguration, but anyways let me share this with you…

First let me introduce you these 3 htaccess rules in the starterkit.

RewriteRule ^content/(.*)\.(txt|md|mdown)$ error [R=301,L]

RewriteRule ^site/(.*) error [R=301,L]

RewriteRule ^kirby/(.*) error [R=301,L]

The goal of these rules is to redirect you to the not found page if you tried to open or view the txt/md/mdown files and site/kirby directories…

EXAMPLE:
you requested to access url http://www.example.com/content/site.txt in your browser, but those htaccess rules are blocking them so it should instead redirect you to url http://www.example.com/error.

##FEELING SAFE?
On the other hand, many webservers nowadays are misconfigured or shall we say does not support those 3 htaccess rules completely… in most cases, incompatibility reveal the full root directory location (IF MY TERMS WERE RIGHT)… So it should show something like /home/usr****/public_html/error** in the url…

##Just Directory? No Big Deal!
It’s not just about directories. Most webservers (especially shared webserver/hosting) uses your username(can be an ftp username) as part of the location…

EXAMPLE:
/home/ USERNAME_HERE /public_html/

PROOF:
You requested to access url http://www.example.com/content/site.txt in your browser, but those incompatible htaccess rules are blocking them so it instead redirects you to url http://www.example.com/home/usr******/public_html/error.

So hackers don’t have to worry about the ftp username, the only thing they have to worry about is the ftp password… Anyway TRIAL AND ERROR is not a big problem especially if the owner’s ftp password is weak…

I managed to hack a website in the SHOWCASE page with full ftp access + his ftp and cpanel username and password are the same THEN I GOT COMPLETE ACCESS TO THE WHOLE WEBSITE AS IF I WAS THE OWNER… Good thing I am a good guy, I didn’t touched anything…

I was so nervous because it’s my first time to hack a website with complete access…

PS: DONT ASK THE WEBSITE, I WONT TELL YOU ANYWAY…

Yeah same story on DigitalOcean on default LAMP installation. Thanks
P.S. even on MAMP

Thanks for sharing … but what can I do against this?

I’m not a server admin, but there are some obvious things that should be respected:

• Check if your installation works as it should
• Block FTP access if you do not need it
• Never use the same user name and password for different services
• Make sure your FTP username is not the same as the user revealed in the path
• Always make a backup of your site in case it gets hacked
• If possible, use a dedicated server that gives you more control (although you should know what your are doing)
• there’s probably more …

How to fix this depends on your hosting provider. Generally you could try setting the RewriteBase in the .htaccess. That can sometimes already be enough.

@texnixe: Thanks for your notes

@lukasbestle: i already tried this but without success …

The other change you can try is to add a slash in front of error in the lines that block content/site/core access:

RewriteRule ^content/(.*)\.(txt|md|mdown)$ /error [R=301,L]
RewriteRule ^site/(.*) /error [R=301,L]
RewriteRule ^kirby/(.*) /error [R=301,L]

Of course this only works if Kirby is not installed in a subdirectory. Otherwise you need to add the subdirectory path as well.

I am very sorry for not responding immediately for I had my tooth extracted…

Actually I have already found the fix and implemented it in my site just before I posted this thread… But unfortunately I forgot to include it as my tooth was aching on that moment… I’m glad to have @lukasbestle answered your questions guys… And thank you for opening the issue in GitHub…

I’m super sorry for this! It never occurred to me that this could happen at all. I’m currently working on a solution and appreciate any second look at it: https://github.com/getkirby/kirby/issues/302#issuecomment-144443969

Thanks … but that didn’t work too

Please try the solution on Github and let me know if that works for you. Worked in all my tests so far.

It works but only when I add

RewriteBase /

too. Without that the issue is still the same … let me know if I can provide further information for any help!

Works for me on shared hosting at OVH.

Please note: you may have to empty your cache and possibly also cookies for this fix to take effect.

I just re-released all 2.1.1 kits and changed the htaccess file in the downloadable package. I also posted an article with instructions how to change the htaccess settings in order to fix this issue: http://getkirby.com/blog/check-your-rewrite-base