CVE-2022-39315 - User Enumeration Vulnerability in Kirby CMS Fixed in Versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1

Kirby Content Management System (CMS) is a popular platform used by developers to create and manage websites efficiently. Users of this CMS should be aware that a user enumeration vulnerability (CVE-2022-39315) affects all Kirby sites having user accounts, except for those with the API and Panel disabled in the config. This vulnerability could potentially be exploited in targeted attacks, although it doesn't scale up to brute-force approaches. Thankfully, the issue has been addressed in the latest releases of Kirby, starting from versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1.

Code Snippet

Before the fixes, a sample code snippet demonstrating the user enumeration vulnerability is shown below:

if ($user = $kirby->user($email) {
    sleep(2); // delay to prevent brute force attacks
}

As the delay was only being applied when a valid email address was entered, this allowed attackers to differentiate between valid and invalid emails, enabling user enumeration.

Exploit Details

The vulnerability can only be used for targeted attacks because it doesn't scale up to brute-force attacks. The issue occurs due to the lack of a delay when a wrong email address is entered during the login attempt, which inadvertently allows attackers to enumerate users by comparing response times for valid and invalid email addresses.

Original References

Kirby, the CMS provider, has been transparent about the issue by providing detailed release notes for each affected version:

- Kirby 3.5.8.2: https://github.com/getkirby/kirby/releases/tag/3.5.8.2
- Kirby 3.6.6.2: https://github.com/getkirby/kirby/releases/tag/3.6.6.2
- Kirby 3.7.5.1: https://github.com/getkirby/kirby/releases/tag/3.7.5.1
- Kirby 3.8.1: https://github.com/getkirby/kirby/releases/tag/3.8.1

Patched Code Snippet

In the four latest releases, Kirby maintainers rewrote the affected code to make sure the delay is inserted even after reaching the brute-force limit:

$user = $kirby->user($email);
sleep(2); // delay to prevent brute force attacks and user enumeration

Conclusion

Users of Kirby CMS should update their installations to version 3.5.8.2, 3.6.6.2, 3.7.5.1, or 3.8.1 to protect themselves from the user enumeration vulnerability (CVE-2022-39315). As the attack doesn't scale to brute force, the primary concern is targeted attacks on individual users, making it crucial for users with user accounts in Kirby to stay up-to-date and continue monitoring future updates from Kirby.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 00:50:00 UTC