Описание
Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48
Summary
A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.
This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:
preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244
Once triggered, the site becomes completely unavailable to all users.
Details
-
Vulnerable Endpoint:
POST /admin/config/system -
Submenu:
Languages -
Parameter:
Supported
The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.
Stack trace excerpt:
Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244
Proof of Concept (PoC)
Payloads:
/
Steps to Reproduce:
-
Log into the Grav Admin Panel.
-
Navigate to: Configuration → System → Languages.
-
Locate the
Supportedfield. -
Insert one of the payloads above (e.g., a single slash
/). -
Click Save.
- Observe: All pages in the application begin throwing a fatal error and become inaccessible.
Impact
-
Application-wide Denial of Service (DoS)
-
All login and admin views crash with the same error
-
Potentially exploitable by:
-
Admin panel users
-
CSRF if misconfigured
-
References
-
CWE-1333: Improper Regular Expression
-
CWE-20: Improper Input Validation
Discoverer
by CVE-Hunters
Пакеты
getgrav/grav
< 1.8.0-beta.27
1.8.0-beta.27
Связанные уязвимости
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.