Описание
Grav is vulnerable to Arbitrary File Read
Summary
- A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.
Details
The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig
PoC
- This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46
- go to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.
- Then go to “Expert” and on Frontmatter input box used to following form template.
- Save page and go the preview or published page you will see the content of “/etc/passwd” file on the server.
Impact
This can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability PoC IDOR mention in CVE-2024-2792
Пакеты
getgrav/grav
< 1.8.0-beta.27
1.8.0-beta.27
Связанные уязвимости
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27.