Grav Twig Sandbox Bypass Vulnerability Allowing Sensitive Data Disclosure

A vulnerability exists in Grav CMS versions prior to 2.0.0-beta.2, where a low-privileged user can bypass Twig's sandbox restrictions. This is achieved by using the 'grav['accounts']' service to access administrative user objects and extract sensitive information such as Bcrypt password hashes and the security salt. This issue persists despite previous attempts to address similar vulnerabilities in earlier beta releases.

Impact

Exploitation of this vulnerability allows attackers to access the password hashes of all registered users, including Super Administrators. These hashes can be subjected to offline brute-force or dictionary attacks.

Reproduction

To reproduce this vulnerability, create a low-privileged account with limited permissions. Log into the Admin panel and navigate to the Pages section. Ensure that 'Process Twig' is enabled. Inject a Twig payload that accesses the 'grav['accounts']' service to retrieve the admin password hash and security salt. Save the page and the injected data will be displayed publicly, demonstrating the information disclosure.

Remediation

Users can upgrade to Grav CMS version 2.0.0-beta.2, where this vulnerability has been fixed.