6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26255

GHSA ID

GHSA-g3h8-cg9x-47qw

EPSS Score

0.77145%

CWE

CWE-434

Published

12/8/2020

Updated

1/11/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26255

CVE-2020-26255:
Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5

Impact

An editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file.

Visitors without Panel access cannot use this attack vector.

Patches

The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability.

Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.

Workarounds

Kirby 2 sites on older releases can also be patched by applying the changes from this commit.

Credits

Thanks to Thore Imhof of Accenture for reporting the problem.

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26255

GHSA ID

GHSA-g3h8-cg9x-47qw

EPSS Score

0.77145%

CWE

CWE-434

Published

12/8/2020

Updated

1/11/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getkirby/panel	composer	< 2.5.14	2.5.14
getkirby/cms	composer	>= 3.0.0, < 3.4.5	3.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient file type validation in the checkUpload() function. The commit diff shows 'phar' was added to the forbidden extensions array ($forbiddenExtensions) and the extension check condition (str::contains) was updated to include 'phar'. Prior to the patch, this function did not block .phar files, enabling the upload of executable PHP archives. The function's role in file validation directly maps to CWE-434 (Unrestricted Upload of Dangerous File Type), and the patch explicitly addresses this gap.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n **itor wit* *ull ****ss to t** Kir*y P*n*l **n uplo** * P*P `.p**r` *il* *n* *x**ut* it on t** s*rv*r. T*is vuln*r**ility is *riti**l i* you mi**t **v* pot*nti*l *tt**k*rs in your *roup o* *ut**nti**t** P*n*l us*rs, *s t**y **n **in **

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *il* typ* v*li**tion in t** `****kUplo**()` *un*tion. T** *ommit *i** s*ows 'p**r' w*s ***** to t** *or*i***n *xt*nsions *rr*y ($*or*i***n*xt*nsions) *n* t** *xt*nsion ****k *on*ition (`str::*ont*ins`) w*s up

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-26255: Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5

Impact

Patches

Workarounds

Credits

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-26255:
Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5

Vulnerability Intelligence
Miggo AI