Grav Remote Code Execution Vulnerability via Malicious ZIP Upload in Direct Install Tool

A remote code execution vulnerability has been identified in Grav versions prior to 2.0.0-beta.2. This issue allows authenticated users with administrative privileges to execute arbitrary PHP code by uploading a specially crafted ZIP file through the 'Direct Install' tool. While the system attempts to block direct PHP file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute PHP code or deploy a persistent web shell on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server user.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a ZIP file containing a malicious Grav plugin through the 'Direct Install' tool in the Admin panel. The uploaded plugin can then execute arbitrary PHP code or create a persistent web shell on the server.

Remediation

Users can update to Grav version 2.0.0-beta.2 or later, where this vulnerability has been fixed.