Grav Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in Grav versions prior to 1.8.0-beta.27. This vulnerability allows authenticated attackers with editor permissions to execute arbitrary commands on the server. Under certain conditions, it may also be exploited by unauthenticated attackers. The issue arises from inadequate regular expression validation in the 'cleanDangerousTwig' method, which fails to properly sanitize user input before it is processed by Twig, the templating engine used by Grav.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with editor permissions can create or modify a form to include a process action that uses the 'evaluate_twig' function. This can be done by intercepting the request and injecting a payload that bypasses the application's access controls. Once the form is submitted, the injected code is executed on the server, demonstrating the vulnerability.

Remediation

Users are advised to update Grav to version 1.8.0-beta.27 or later, where this vulnerability has been fixed.