Path Traversal in getgrav/grav
Reported on
Oct 28th 2021
Steps:
Host the project locally.
For example if address is http://127.0.0.1:8088 ==> visit http://127.0.0.1:8088/system/config/permissions.yaml
http://127.0.0.1:8088/system/config/permissions.yaml ==> you will get the content of permissions.yaml file.
Impact:
Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of restricted directory on the remote server. This could lead to the disclosure of sensitive data on the vulnerable server.
I cannot reproduce this as htaccess block access to any yaml file.
Are you using some other server?
Actually I have setup it in my kali machine and using the document provided in GitHub repo.
Maybe your installation doesn't allow .htaccess file in the site? Though that would render the site unusable as pages would not work...
I cannot access the files in any site, here's an example: https://getgrav.org/system/config/permissions.yaml
Also https://github.com/getgrav/grav/blob/develop/.htaccess#L62
That line prevents anyone from accessing the yaml files.
Yes the filter seems to be right for the directories (For System and Vendor ) https://github.com/getgrav/grav/blob/develop/.htaccess#L62
But still we can able to access file inside the other folders (backup,bin,cache...)
And about the installation, I have followed the same method as mentioned in GitHub repo, so it must be in code logic fault if it is being installed in linux or so. Please check it and let me know.
Steps that I followed for installation.
- git clone https://github.com/getgrav/grav.git
- cd grav
- bin/grav install
Access to all files are blocked for backup, cache, bin and so on:
https://github.com/getgrav/grav/blob/develop/.htaccess#L60
I just verified it works for arbitrary file in those locations.
Then what is the issue, because I followed the steps exactly as mentioned. And we don't have to manually change anything (htaccess) after installing, Right?? Please try to setup it locally as I set up in my machine and let me know. If
I followed your instructions (using git to install) and I'm still getting Forbidden for every file I try to access.
What happens if you click on 'Typography` menu item? If the page doesn't work, your server doesn't read the .htaccess file -> server configuration issue.
Page is working --> "http://127.0.0.1:8000/typography" Is it due to I am running "bin/grav install" as "sudo bin/grav install"
and if I run only "bin/grav install" then the server is not running, means it is throwing error after entering "http://127.0.0.1:8000" (Even homepage is not getting load)
Page is working --> "http://127.0.0.1:8000/typography" Is it due to I am running "bin/grav server" as "sudo bin/grav server"
and if I run only "bin/grav server" then the server is not running, means it is throwing error after entering "http://127.0.0.1:8000" (Even homepage is not getting load)
OK, it looks like this is valid if using bin/grav server. That said, I think the documentation says it's only meant for development...
Nevertheless, I think it's good to have it to follow the same tules as Apache.
