Kirby Path Traversal Vulnerability in Snippet Helper Allowing Arbitrary File Access and Execution

A path traversal vulnerability has been identified in Kirby, an open-source content management system, affecting versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1. The vulnerability arises when the `snippet()` helper or `$kirby->snippet()` method is used with dynamic snippet names that depend on user or request data. This flaw allows attackers to navigate outside the intended directory and access arbitrary files on the server that are accessible to the PHP process. In some cases, this could lead to the execution of PHP code within those files. Exploitation requires knowledge of the server's file system and can potentially be automated through fuzzing.

Impact

Exploitation of this vulnerability could result in unauthorized access to files outside the Kirby installation, including sensitive configuration files. Additionally, it could allow the execution of arbitrary PHP code, potentially leading to further compromise of the server.

Reproduction

To reproduce this vulnerability, create a Kirby site and use the `snippet()` helper with a dynamic name that could be influenced by user input or request data. For example, `snippet('tags-' . get('tags'))` would be a vulnerable usage. Once the snippet is loaded, the path traversal can be exploited by including `..` sequences to access files outside the snippets root.

Remediation

Users should update to Kirby versions 3.9.8.3, 3.10.1.2, or 4.7.1. After updating, be aware that any deliberate use of path traversal with the `snippet()` helper will break, so adjustments may be needed.