Miggo Logo

CVE-2020-26253: Kirby .dev domains and some reverse proxy setups were treated as local

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.37852%
Published
1/14/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
getkirby/panelcomposer< 2.5.142.5.14
getkirby/cmscomposer>= 3.0.0, < 3.3.63.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the isLocal() function's origin validation logic. The commit diff shows this function was modified to: 1) Remove .dev domain assumptions 2) Add .local domain support 3) Add reverse proxy header checks. The original implementation (vulnerable version) used a hardcoded list of localhost IPs and domain suffixes (.localhost, .test) without proper proxy handling, failing to recognize that .dev domains became public. This allowed attackers to bypass the installation protection on .dev domains or behind reverse proxies.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t #### **out our r**istr*tion *lo*k In or**r to prot**t n*w inst*ll*tions on pu*li* s*rv*rs t**t *on't **v* *n **min ***ount *or t** P*n*l y*t, w* *lo*k ***ount r**istr*tion t**r* *y ****ult. T*is is * s**urity ***tur*, w*i** w* impl*m*nt*

Reasoning

T** vuln*r**ility st*ms *rom t** `isLo**l()` *un*tion's ori*in v*li**tion lo*i*. T** *ommit *i** s*ows t*is *un*tion w*s mo*i*i** to: *) R*mov* .**v *om*in *ssumptions *) *** .lo**l *om*in support *) *** r*v*rs* proxy *****r ****ks. T** ori*in*l impl