Kirby Path Traversal Vulnerability in Dynamic Collection Name Handling

A path traversal vulnerability has been identified in Kirby versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1. The issue arises when the `collection()` helper or `$kirby->collection()` method is used with dynamic collection names that depend on user or request data. This vulnerability allows attackers to access arbitrary files on the server that are accessible to the PHP process, including files outside of the collections root or the Kirby installation itself. Exploitation of this vulnerability could lead to the execution of PHP code within the accessed files.

Impact

Exploitation of this vulnerability could allow an attacker to navigate the server's file system, access sensitive files, and execute PHP code, potentially damaging the server's confidentiality and integrity.

Reproduction

To reproduce this vulnerability, create a Kirby site that uses the `collection()` helper or `$kirby->collection()` method with dynamic collection names. Ensure that the collection name can be influenced by user input or request data. Once the site is set up, the vulnerability can be exploited by accessing a collection name that includes path traversal sequences, such as `..`, to escape the collections root and access arbitrary files on the server.

Remediation

Users should update to Kirby versions 3.9.8.3, 3.10.1.2, or 4.7.1. In these versions, a path traversal check has been added to ensure that collection paths remain within the configured collections root. After updating, be aware that any deliberate use of path traversal with the `collection()` helper will need to be adjusted, as this could break functionality.