Grav CMS Path Traversal Vulnerability in Backup Tool Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Grav CMS versions prior to 1.8.0-beta.27. This vulnerability allows authenticated attackers with administrative privileges to read arbitrary files from the server's filesystem. The issue stems from inadequate input sanitization in the backup tool, where user-supplied paths can access files outside the designated webroot directory. The vulnerability's impact is contingent upon the privileges of the user account running the application.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, depending on the privileges of the user account running the application. In a tested scenario, the vulnerability was exploited to read the SSH private key of the root user, which would allow an attacker to gain complete administrative access to the host server.

Reproduction

To reproduce this vulnerability, log into Grav CMS as an admin and navigate to the 'Backups' tool. Change the 'Root Folder' to a path that traverses directories, such as '../..', to access files outside the webroot. After saving the backup configuration, initiate the backup process. The vulnerability can be demonstrated by extracting a file, such as the SSH private key from the root user's home directory, which would indicate a successful exploitation of the path traversal flaw.

Remediation

Users can update to Grav CMS version 1.8.0-beta.27 or later, where this vulnerability has been fixed.