Grav API
cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*
- <= 1.0.2
A file upload extension bypass vulnerability has been identified in the Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3. The issue resides in the API media controller, specifically within the HandlesMediaUploads::validateFileExtension() method, which only checks the final file extension. This flaw allows users with api.media.write permission to upload files with double extensions, such as shell.php.jpg, circumventing the blocklist of dangerous extensions. If the web server executes the file as PHP, this could lead to remote code execution.
Exploitation of this vulnerability allows authenticated users with media upload permissions to execute arbitrary PHP code on the server, resulting in remote code execution. In environments where PHP does not execute files with a .php.jpg extension, the uploaded PHP file is served as plain text, disclosing the PHP source code and potentially exposing sensitive information such as application logic and hardcoded secrets.
To reproduce this vulnerability, first obtain a JSON Web Token (JWT) by authenticating with a username and password. Then, use the JWT to upload a file through the API media endpoint, ensuring to include a double extension that bypasses the server's extension validation. The response will confirm the upload, indicating that the file was accepted despite its dangerous extension. Finally, access the uploaded file through the media URL, which will execute the PHP code if the server processes .php files.
Users are advised to update the Grav API plugin to version 1.0.3 or later, where this vulnerability has been patched. Additionally, implement stricter validation of file extensions by checking all components of the filename, not just the last extension, and verify the actual file content against its claimed MIME type to prevent the upload of executable files.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.