Kirby is a popular content management system (CMS) used by web developers to create and manage content on websites. Recently, a vulnerability (CVE-2023-38492) has been discovered affecting all Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the config. This vulnerability has a limited real-world impact, but it is essential to update to one of the patch releases, as they also fix more severe vulnerabilities.

Exploit Details

The vulnerability lies in Kirby's authentication endpoint, which did not limit the password length. Attackers could exploit this issue by providing a password with a length up to the server's maximum request body length. Validating such a long password against a user's actual password would require hashing the provided password, consuming more CPU, memory resources, and processing time. Consequently, an attacker could abuse this vulnerability to cause a website to become unresponsive or unavailable.

However, the impact of this vulnerability is limited due to Kirby's built-in brute force protection: 10 failed login attempts are allowed from each IP address, and 10 failed logins are allowed for each existing user per hour.

Code Snippet

The following code snippet demonstrates the change made in the patch releases to limit password length:

// Before patch:
function validatePassword($password) {
    // No length check before hashing
    $hashedPassword = hash_password($password);
    
    // Other password validation steps
    // ...
}

// After patch:
function validatePassword($password) {
    if (strlen($password) > 100) {
        throw new Exception('Password too long');
    }

    $hashedPassword = hash_password($password);
    
    // Other password validation steps
    // ...
}

Solution

The maintainers of Kirby have released patch versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 to address this issue. These versions include password length limits in the affected sections of the code. Passwords longer than 100 bytes will now be immediately blocked, both when setting a password and when logging in.

Original References

To learn more about this vulnerability and to download the patch releases, please visit the following links:

1. Kirby CMS official website: https://getkirby.com/
2. Release notes for Kirby CMS patch releases: https://getkirby.com/changelog

Conclusion

In conclusion, CVE-2023-38492 is a vulnerability found in Kirby CMS that allows attackers to potentially cause a website to become unresponsive or unavailable by exploiting an unlimited password length issue. While the real-world impact is limited, it is essential to update your Kirby CMS versions to the patched releases to mitigate this vulnerability and other more serious issues. Follow the links provided above to download the latest patches and ensure your Kirby CMS deployment is safe and secure.

Timeline

Published on: 07/27/2023 16:15:00 UTC
Last modified on: 08/03/2023 13:35:00 UTC