CVE-2015-7773

Vulnerability

The Panel component in Bastian Allgeier Kirby before version 2.1.2 contains an unrestricted file upload vulnerability [1][2]. An authenticated user with access to the Panel can upload a file that lacks a file extension. The application does not validate the file type or require an extension, allowing the uploaded file to be stored on the server. Subsequently, the attacker can rename the uploaded file to have a .php extension, which the server then interprets as executable PHP code [1]. This affects Kirby 2.1.1 and earlier [2].

Exploitation

To exploit this vulnerability, an attacker must have a valid account with access to the Kirby Panel (authentication is required) [2]. The attacker uploads a file containing arbitrary PHP code but deliberately omits a file extension. After the upload, the attacker uses the Panel's file management functionality to rename the file, appending a .php extension. No additional user interaction or special network position is needed beyond being able to reach the Panel interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server with the privileges of the web server process [1][2]. This can lead to full compromise of the CMS, including data theft, defacement, or further server-side attacks. The impact is rated as medium severity (CVSS v2 base score 6.5) with partial loss of confidentiality, integrity, and availability [2].

Mitigation

The vendor released Kirby version 2.1.2 to fix this vulnerability [1][2]. Users should update to 2.1.2 or later immediately. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.