CVE-2023-38489 - Insufficient Session Expiration in Kirby CMS leads to Unauthorized Access

Kirby CMS is a powerful and flexible content management system, but it has recently been discovered that there is a security vulnerability affecting user accounts in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The vulnerability, known as Insufficient Session Expiration, can be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker has already maliciously used a previous password to log in to a Kirby site as the affected user.

Insufficient Session Expiration allows attackers to reuse old session credentials or session IDs for authorization. In this case, it allows attackers to remain logged in to a Kirby site on another device even if the logged-in user has since changed their password. Prior to the patches, Kirby did not invalidate user sessions created with passwords that have been changed by the user or by a site admin.

The issue has been resolved in the latest releases of Kirby - version 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 - by modifying the authentication implementation. The following code snippet demonstrates the updated implementation, which ensures that user sessions are invalidated if the associated password has been changed:

public function isValid(): bool
{
    if ($this->isExpired() === true) {
        return false;
    }

    $user = $this->user();

    if ($user === null) {
        return false;
    }

    // Check if the stored hashed password matches the user's current hashed password
    if ($this->get('password') !== $user->password()->toString()) {
        return false;
    }

    return true;
}

To enforce this fix for users who were possibly affected by the vulnerability, all users are logged out from Kirby sites after updating to one of the patched releases.

For more information about the vulnerability, please refer to the following sources

- CVE-2023-38489 NVD Entry
- Kirby CMS GitHub Issue
- Kirby CMS Release Notes

If you are using an affected version of Kirby, it is strongly recommended to update to one of the patched releases mentioned above. This will ensure the security vulnerability is patched and the risk of unauthorized access is mitigated. Always be cautious when sharing devices or browsers with untrusted users and remember to keep your passwords secure.

Stay safe out there, and always keep your web applications up to date to defend against ever-evolving security threats.

Timeline

Published on: 07/27/2023 15:15:00 UTC
Last modified on: 08/03/2023 13:28:00 UTC