CVE-2023-38491 - Kirby CMS Vulnerability in File Uploads with Unknown MIME Types

Kirby is a popular content management system (CMS) that powers websites of various sizes. A recently discovered vulnerability, identified as CVE-2023-38491, affects older versions of Kirby CMS (prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6). This vulnerability potentially exposes websites that allow file uploads from untrusted users or visitors, and websites that do not limit file extensions to a predetermined safe list.

Details

The vulnerability resides in Kirby's Kirby\Http\Response::file() method, which does not have an explicit fallback for handling unknown MIME types. Affected versions of Kirby CMS might send the incorrect MIME content type (text/html) when users with the appropriate permissions upload files with unknown file extensions containing malicious HTML code, such as <script> tags.

To successfully exploit this vulnerability, the attacker needs to have write access to the Kirby Panel (e.g., as an editor) and share the direct link to the malicious file with other users or visitors. If the victim opens the link in a browser where they are logged into Kirby, the site would execute the malicious script, potentially triggering unauthorized requests to Kirby's API with the victim's privileges.

Code snippet

Here's a sample code snippet showcasing the faulty implementation of the Kirby\Http\Response::file() method:

public function file(string $file, array $options = []): Response
{
    return new static([
        'body' => F::read($file),
        'contentType' => MimeType::fromExtension(F::extension($file)),
        'options' => $options,
    ]);
}

Patched versions

The maintainers of Kirby CMS addressed the issue in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 by adding a fallback MIME type of text/plain and setting the X-Content-Type-Options: nosniff header whenever the MIME type of a file is unknown:

public function file(string $file, array $options = []): Response
{
    $mimeType = MimeType::fromExtension(F::extension($file));
     
    return new static([
        'body' => F::read($file),
        'contentType' => $mimeType ?? 'text/plain',
        'headers' => $mimeType ? [] : ['X-Content-Type-Options' => 'nosniff'],
        'options' => $options,
    ]);
}

Recommendations

It is strongly advised to update your Kirby CMS installation to the latest patched version. If you're using the Kirby\Http\Response::file() method in your site or plugin code, you should also update the affected code to include the fallback text/plain MIME type and the X-Content-Type-Options: nosniff header.

References

1. Kirby CMS Official Website: https://getkirby.com/
2. CVE-2023-38491 Description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38491
3. Kirby CMS Release Notes: https://github.com/getkirby/kirby/releases

Timeline

Published on: 07/27/2023 16:15:00 UTC
Last modified on: 08/03/2023 13:35:00 UTC