Grav CMS FileCache Insecure Deserialization Vulnerability Allowing Object Injection and Remote Code Execution

A vulnerability exists in Grav CMS versions 1.7.44 through 1.7.49.5 and in 2.0.0-beta.1. The issue arises in the FileCache component, specifically within the doGet method, which deserializes cache values with 'allowed_classes' set to true. This behavior permits arbitrary object instantiation when cache files are manipulated by an attacker. The vulnerability can be exploited remotely, but doing so requires a high level of complexity and appears to be challenging.

Impact

Exploitation of this vulnerability leads to insecure deserialization, allowing for arbitrary object injection. This could be exploited to execute remote code via PHP gadget chains, access sensitive properties or magic methods, and potentially escalate privileges in PHP applications.

Reproduction

To reproduce this vulnerability, first upload a malicious cache file to the application's cache directory, ensuring that the file is crafted to exploit the deserialization vulnerability by injecting a PHP object that executes a payload. Then, trigger the vulnerability by calling the FileCache::get() method, which will unserialize the injected object and execute the payload.

Remediation

Upgrade Grav CMS to version 2.0.0-beta.2, which addresses the vulnerability by adding HMAC integrity to the FileCache component. The update ensures that cache payloads are signed and verified, preventing the exploitation of deserialization vulnerabilities.