Grav Server-Side Template Injection Vulnerability Revealing Configuration Details

A server-side template injection vulnerability has been identified in Grav versions prior to 1.8.0-beta.27. This vulnerability allows the entire Grav configuration, including sensitive plugin details, to be exposed through a simple form. By sending a specific POST payload, the vulnerability can be exploited to leak configuration information, which may contain sensitive data.

Impact

Exploitation of this vulnerability leads to unauthorized access to the entire Grav configuration, including sensitive plugin details, which could be misused or disclosed inappropriately.

Reproduction

To reproduce this vulnerability, create a form with the name 'hero-form' and two fields: 'registration-number' and 'hp'. Set the form method to POST. After submitting the form with the specified payload, including a unique_form_id field that triggers the vulnerability, the response will contain a PHP array with the complete Grav configuration details, including plugin information.

Remediation

Users can upgrade to Grav version 1.8.0-beta.27 or later to address this vulnerability.