Grav Path Traversal Vulnerability in User Creation Leading to Arbitrary YAML Write

A path traversal vulnerability has been identified in Grav versions prior to 1.8.0-beta.27. When a user with the privilege to create accounts does so through the Admin UI, it is possible to include path traversal sequences in the username. This causes Grav to write the user's account YAML file to an unintended location outside the user/accounts directory. The YAML file can contain sensitive information such as the user's email, full name, two-factor authentication secret, and hashed password. Exploitation of this vulnerability could lead to unauthorized access to user accounts by overwriting account details of existing users.

Impact

Exploitation allows for overwriting of sensitive YAML files, including system and email configuration files, with attacker-controlled data. This could disrupt services or cause functional corruption. Additionally, the vulnerability enables account takeover by allowing an attacker to modify the email and password of any user, simply by creating a new account with a username that includes the victim's account name.

Reproduction

To reproduce this vulnerability, log into the Grav Admin UI as an administrator. Create a new user and include path traversal sequences in the username, such as '..\Nijat' or '../Nijat'. Once the user is created, the account YAML file will be written to an unintended path outside the user/accounts directory, containing the specified username and other account details.

Remediation

Users can update to Grav version 1.8.0-beta.27 or later, where this vulnerability has been fixed.