Grav CMS Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A server-side template injection vulnerability has been identified in Grav CMS versions prior to 1.8.0-beta.27. This vulnerability allows authenticated users with editor permissions to execute arbitrary code on the server, bypassing the existing security sandbox. The issue arises because the sandbox does not fully protect the Twig object, enabling manipulation through crafted Twig directives. Exploitation involves injecting directives that interact with the Twig environment, such as calling methods or accessing attributes, which can lead to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, potentially leading to a full server compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with editor permissions can create or edit a page in the Grav CMS admin console. The user must inject Twig template directives that exploit the sandbox bypass. For example, the directives can be crafted to add dangerous functions to the Twig filter system, such as 'system' or 'exec', and then use these functions to execute commands on the server.

Remediation

Users are advised to update Grav CMS to version 1.8.0-beta.27 or later, where this vulnerability has been fixed.