Grav Frontmatter File Read Vulnerability Allowing Account Takeover

A vulnerability in Grav prior to version 1.8.0-beta.27 allows low privilege users with page editing rights to read any server file through the Frontmatter form. This includes sensitive user account files that contain hashed passwords, 2FA secrets, and password reset tokens. Exploiting this vulnerability could lead to unauthorized access to user accounts, including those of administrators.

Impact

Successful exploitation allows a low privileged user to take over any registered account, including administrators. It also enables reading of any file on the web server.

Reproduction

To reproduce this vulnerability, create a new page in Grav CMS version 1.7.46 with the 'Form' template. In the Frontmatter input box, include a reference to a file such as '/etc/passwd'. Once the page is saved and previewed, the contents of the specified file will be displayed. This vulnerability can also be exploited by reading Grav user account files, which are located in '/grav/user/accounts/' and have a '.yaml' extension.

Remediation

Users can update to Grav version 1.8.0-beta.27 or later to address this vulnerability.