Grav Password Hash Exposure Vulnerability Allowing Privilege Escalation

A vulnerability in Grav, a file-based web platform, prior to version 1.8.0-beta.27, allows users with read access to the user account management section of the admin panel to view password hashes of all users, including the admin. This exposure could lead to privilege escalation if an attacker successfully cracks these hashes. The vulnerability arises from insufficient protection of sensitive information in the user data serialization process.

Impact

Exposing password hashes can lead to unauthorized access, especially if the admin password hash is cracked, allowing an attacker to compromise the entire admin panel.

Reproduction

To reproduce this vulnerability, log into the admin panel with an account that has read access to user accounts. Navigate to the user account management section and access the profile of any user, including the admin. Inspect the page source to find the exposed password hash, which can then be compared to the hash stored in the admin.yaml file. After obtaining the hash, use a tool to crack it, revealing the admin password.

Remediation

Users can update to Grav version 1.8.0-beta.27 or later, where this vulnerability has been fixed.