Grav Path Traversal Vulnerability in FormFlash Component Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Grav CMS versions prior to 2.0.0-beta.2, within the FormFlash core component. This vulnerability allows an unauthenticated attacker to manipulate the session_id parameter, passed as __form-flash-id in POST requests, to traverse the filesystem. Exploitation of this vulnerability enables the creation of arbitrary directories and the writing of an index.yaml file containing attacker-controlled data. The issue can disrupt application behavior, compromise data integrity, and cause service interruptions in production environments.

Impact

Exploitation of this vulnerability allows for unauthorized filesystem modifications, including the creation of directories and files. It also corrupts session data by overwriting temporary form information, disrupting session isolation. Additionally, the vulnerability could be exploited to exhaust disk space or inodes, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, intercept a POST request to a page containing a Grav form. Modify the __form-flash-id parameter to include a traversal sequence targeting a writable directory, such as ../../user/config/proof_dir. After submitting the request, a new directory and an index.yaml file will be created at the specified path, containing the injected data.

Remediation

Users can update Grav to version 2.0.0-beta.2, where this vulnerability has been fixed. The update sanitizes the session_id before constructing paths, preventing the traversal. Additionally, ensure that sensitive directories have restrictive permissions to block unauthorized write access.