This is our last release before Kirby 2 reaches end of life on December 31, 2020.
Please upgrade to Kirby 3: https://github.com/getkirby
Security release
We've been contacted by the security researcher Thore Imhof of Accenture with a vulnerability report that affects the Panel of Kirby 2.
An editor with full access to the Panel can upload a PHP .phar
file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of Panel users, as they can gain access to the server with such a phar file. Visitors without Panel access cannot use this attack vector.
We've received this report yesterday and this release will prevent the attack.
We recommend to upgrade your sites to Kirby 3. Kirby 2 reaches end of life in 4 weeks. If you cannot upgrade, we still recommend to update to this latest release.