logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-34448 getgrav/grav

Package

Manager: composer
Name: getgrav/grav
Vulnerable Version: >=0 <1.7.42

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.06077 pctl0.90393

Details

Grav Server-side Template Injection (SSTI) via Twig Default Filters Hi, actually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Twig Default Filters ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0008 | | **CVE Identifier** | TBD | | **CWE(s)** | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine | ## CVSS3.1 Scoring System: **Base Score:** 7.2 (High) **Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` | **Metric** | **Value** | | ---------------------------- | --------- | | **Attack Vector (AV)** | Network | | **Attack Complexity (AC)** | Low | | **Privileges Required (PR)** | High | | **User Interaction (UI)** | None | | **Scope (S)** | Unchanged | | **Confidentiality \(C)** | High | | **Integrity (I)** | High | | **Availability (A)** | High | ## Product Overview: Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin. ## Vulnerability Summary: The patch for [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. ## Vulnerability Details: Twig comes with an extension known as the [Core Extension](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) that is enabled by default when initialising a new [Twig environment](https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148). Twig's Core Extension provides multiple built-in filters, such as the `filter()` function, which can be used in Twig templates. [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/) leverages the default `filter()` filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default `filter()` filter function in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) of Grav v1.7.34 to perform validation checks on the arguments passed to `filter()`: ~~~diff php ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; } ... + /** + * @param Environment $env + * @param array $array + * @param callable|string $arrow + * @return array|CallbackFilterIterator + * @throws RuntimeError + */ + function filterFilter(Environment $env, $array, $arrow) + { + if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.'); + } + + return \twig_array_filter($env, $array, $arrow); + } } ~~~ However, looking at the source code of [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) of Twig, alternative default Twig filters could also be used invoke arbitrary functions: ~~~php ... class CoreExtension extends AbstractExtension { ... public function getFilters(): array { return [ ... // array helpers ... new TwigFilter('filter', 'twig_array_filter', ['needs_environment' => true]), // unsafe new TwigFilter('map', 'twig_array_map', ['needs_environment' => true]), // unsafe new TwigFilter('reduce', 'twig_array_reduce', ['needs_environment' => true]), // unsafe ]; } ~~~ The three filter functions above respectively call `array_filter()`, `array_map()` and `array_reduce()`. Since only `filter()` is being overriden by Grav to ensure that the callable passed to `filter()` does not result in the invocation of an unsafe function, the other two functions (i.e. `map()` and `reduce()`) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution. ## Exploit Conditions: This vulnerability can be exploited if the attacker has access to: 1. an administrator account, or 2. a non-administrator, user account that are granted the following permissions: - login access to Grav admin panel, and - page creation or update rights ## Reproduction Steps: 1. Log in to Grav Admin using an administrator account. 2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user: * Login to Admin - Allowed * Page Update - Allowed 2. Log out of Grav Admin, and log back in using the account created in step 2. 3. Navigate to `http://<grav_installation>/admin/pages/home`. 4. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage. 5. Under the `Content` tab, insert the following payload within the editor: ~~~twig {{ ['id'] | map('system') }} {{ ['id'] | reduce('system') }} ~~~ 4. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview. ## Suggested Mitigations: Override the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. For example: ~~~diff ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), + new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]), + new TwigFilter('reduce', [$this, 'reduceFilter'], ['needs_environment' => true]), ]; } ... + /** + * @param Environment $env + * @param array $array + * @param callable|string $arrow + * @return array|CallbackFilterIterator + * @throws RuntimeError + */ + function mapFilter(Environment $env, $array, $arrow) + { + if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.'); + } + + return \twig_array_map($env, $array, $arrow); + } + + /** + * @param Environment $env + * @param array $array + * @param callable|string $arrow + * @return array|CallbackFilterIterator + * @throws RuntimeError + */ + function reduceFilter(Environment $env, $array, $arrow) + { + if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) { + throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.'); + } + + return \twig_array_reduce($env, $array, $arrow); + } }

Metadata

Created: 2023-06-16T19:37:08Z
Modified: 2023-06-16T19:37:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-whr7-m3f8-mpm8/GHSA-whr7-m3f8-mpm8.json
CWE IDs: ["CWE-1336", "CWE-20"]
Alternative ID: GHSA-whr7-m3f8-mpm8
Finding: F422
Auto approve: 1