Kirby is a popular content management system (CMS) that has recently introduced the "Custom" link field in its version 4. This new link field type allows users to input and validate different link types, each corresponding to a specific URL format. Although this feature provides flexibility to users for advanced use cases, it also presents a security vulnerability, as the "Custom" link type also enables the "javascript:" URL scheme, allowing attackers to execute arbitrary JavaScript code when a user clicks on the malicious link.
In this article, we will delve into the details of this vulnerability, CVE-2024-27087, and demonstrate a potential exploit scenario. Additionally, we will explore the patch released in Kirby 4.1.1 that prevents this vulnerability.
Suppose we have the following link field in a Kirby CMS project
link:
label: Custom Link
type: link
allowedTypes:
- custom
An attacker could exploit this vulnerability by inserting the following value for the custom link
javascript:alert('XSS Attack');
Original References
This vulnerability was reported and flagged by the Kirby security team in their official GitHub repository here. You can find further details and discussions regarding this issue in the Kirby forum as well.
Exploit Details
The exploit occurs when an unsuspecting user or visitor clicks on the malicious link generated using the "Custom" link field containing a javascript: URL scheme. As a result, the attacker can execute arbitrary JavaScript code within the user's browser context. This can lead to potential security breaches such as Cross-Site Scripting (XSS) attacks or the unauthorized extraction of sensitive user data.
Mitigation and Patch
The Kirby developers have released a patch in version 4.1.1 to address this security vulnerability. In this update, the "Custom" link field no longer supports the javascript: URL scheme by default. As a result, attempting to insert a malicious javascript: URL will not pass the validation process anymore. Therefore, it is highly recommended for all Kirby CMS users to update their installations to version 4.1.1 or above to mitigate this security risk.
In case you still need to allow the javascript: URL scheme in your project, you can do so by including it explicitly in the allowed schemes of your link field:
link:
label: Custom Link
type: link
allowedTypes:
- custom
custom:
allowedSchemes:
- javascript
Keep in mind that enabling the javascript: URL scheme carries potential security risks, and we advise you to carefully evaluate your use case before allowing this functionality.
Conclusion
Kirby CMS's "Custom" link field vulnerability, CVE-2024-27087, demonstrates the importance of constant vigilance in software security and the potential risks associated with adding new features. Thankfully, the Kirby team addressed this vulnerability promptly, and users can now safely implement the flexible "Custom" link field in their projects with the updated version 4.1.1. Ensure that you keep your installations up to date and make informed decisions when enabling advanced features that could potentially expose your projects to security risks.
Timeline
Published on: 02/26/2024 17:15:10 UTC
Last modified on: 02/26/2024 22:10:40 UTC