Yuji Tounai of NTT Com Security(Japan)KK has reported a smaller vulnerabilty in the Panel today (CVE-2015-7773)
A logged in user can upload a PHP file without extension, when their browser or server does not handle mime type detection correctly. The uploaded file cannot do any harm yet, but the editor can then rename the file and attach the .php extension in the file editor of the Panel afterwards. Such a PHP file in your content folder could be abused to execute any sort of PHP code on your server.
This issue is only possible to reproduce with a logged in panel user following the described steps. I still decided to fix this immediately and not wait for 2.2 to release this.
The fix includes two parts:
- it's no longer possible to upload files without extension with the panel
- it's no longer possible to attach a file extension to an existing file by renaming it
Please update your core and panel as soon as possible.
Download Kirby 2.1.2
For further questions please don't hesitate to send an email at: firstname.lastname@example.org