Grav Form Plugin Unauthenticated Page-Content Overwrite Vulnerability via File Upload

A vulnerability in the Grav Form plugin prior to version 9.1.0 allows for unauthenticated page-content overwrites through file uploads. The vulnerability arises because the upload handler accepts a POST-supplied filename that can override the original uploaded filename, bypassing certain extension restrictions. This flaw could enable an attacker to upload a file that replaces a page's content file, such as 'form.md', and potentially escalate privileges to super-admin by exploiting the form processing actions.

Impact

Exploitation of this vulnerability allows for unauthorized page-content overwrites, leading to arbitrary content injection into Grav pages. This could be used to manipulate page data or, in this case, escalate privileges to super-admin by creating a user with elevated rights through the form processing features.

Reproduction

To reproduce this vulnerability, upload a file through a form that accepts all file types, using a filename that corresponds to a Grav page's content file, such as 'form.md'. Once the file is uploaded, the form can be submitted to trigger the overwrite of the original page content. After the overwrite, accessing the page will show the injected content, and if the injected content includes a payload to create a super-admin user, this privilege escalation can be achieved.

Remediation

Users are advised to update the Grav Form plugin to version 9.1.0 or later, where this vulnerability has been fixed. Additionally, sensitive page-content filenames should be blocked at upload by adding them to the global 'security.uploads_dangerous_extensions' list.