Grav Twig Sandbox Vulnerability Allows Configuration Exfiltration

A vulnerability in Grav's Twig sandbox allow-list prior to version 2.0.0-rc.2 permits users with the admin.pages role to invoke config.toArray() within a page body. This action dumps the entire merged site configuration, including sensitive plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens, into the rendered HTML. Notably, this exploitation does not require administrator privileges.

Impact

Exploitation of this vulnerability allows any user with the editor role (admin.pages) to extract all plugin credentials from the site configuration, bypassing the need for administrative rights. The extracted secrets, which include SMTP passwords, AWS access and secret keys, OAuth client secrets, reCAPTCHA keys, and any API tokens stored in plugin YAML configuration, could independently compromise the associated services.

Reproduction

To reproduce this vulnerability, log in as a user with the admin.pages role. Save a page with the frontmatter 'process.twig: true' and include a payload in the body that calls 'config.toArray()' and encodes it as JSON. Once the page is rendered, the configuration data, including sensitive plugin secrets, will be exposed in the HTML. This can be automated with a script that handles the login process and page creation.

Remediation

Users are advised to update Grav to version 2.0.0-rc.2 or later, where this vulnerability has been fixed.