Kirby Path Traversal Vulnerability in PHP's Built-in Server

A path traversal vulnerability has been identified in Kirby, an open-source content management system, affecting versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1. This vulnerability is present in Kirby setups that use PHP's built-in server, a configuration typically reserved for local development. The issue arises from a missing path traversal check, which allows attackers to access files on the server that are accessible to the PHP process, including those outside the Kirby installation. Exploitation of this vulnerability could reveal the existence of traversed files or, in some cases, execute PHP code.

Impact

Exploitation of this vulnerability allows for path traversal, enabling attackers to access files on the server that are accessible to the PHP process, including those outside the Kirby installation. While the vulnerability does not directly expose file contents or execute PHP code, it could be exploited to determine the existence of files outside the document root, potentially leading to further attacks.

Remediation

Users can update to Kirby versions 3.9.8.3, 3.10.1.2, or 4.7.1 to address this vulnerability. In these versions, the router has been updated to check if static files are within the document root, preventing path traversal exploitation. For Kirby 4.7.1 users with a public folder setup, version 4.7.2 should be used.