Grav Improper Authorization Vulnerability in Admin Page Processing

A broken access control vulnerability has been identified in Grav versions prior to 1.8.0-beta.27. This issue allows editors with limited permissions to alter the functionality of forms by modifying the YAML frontmatter through a POST request to the '/admin/pages/{page_name}' endpoint. The 'process' section of the frontmatter, which controls post-submission actions, can be manipulated, potentially leading to further vulnerabilities.

Impact

Exploitation of this vulnerability allows unauthorized modification of form processing actions, including redirects, email notifications, and Twig template changes. This could disrupt normal form functionality or, in some cases, lead to code execution by breaking out of the Twig sandbox.

Reproduction

To reproduce this vulnerability, first ensure that the Admin and Form plugins are installed. Log into the Grav admin panel as an administrator, create a user with editor permissions for pages, and log in as that user. Note that the user will be unable to edit any process fields in the panel. Afterward, intercept a POST request to the '/admin/pages/{page_name}' endpoint. In the request, modify the 'data[_json][header][form]' field with a payload that includes a 'process' section designed to exploit the vulnerability, such as by injecting code execution commands. Once the request is sent, the changes will be applied to the form, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update Grav to version 1.8.0-beta.27 or later, where this vulnerability has been fixed.