Previously I’ve described privilege escalation with XSS and how to use user settings to gain admin privileges. Now it’s time for the last article in the series on Grav CMS — the least severe but quite interesting and often overlooked SVG file upload.
I’ve worked on Grav Devel and Admin Devel versions as of 21th of December, 2018, the default Grav installation, admin account and user account with following privileges:
Proof of Concept
Second, the user sets the previously uploaded file as his avatar.
Starting from now on, the file is available through the browser under the following endpoint /user/accounts/avatars/1i0FpO3bmsq8ycD.svg, which can be obtained from the above requests/replies.
The presented bug is the least severe in the series of articles about Grav CMS. Many prerequisites are required to exploit it: a malicious user has to have an account and upload a malicious SVG avatar; then he has to somehow make a victim user open the direct link to the avatar — all while hoping that the victim will be logged in when opening the link.
Real world security is never black and white. Risks, costs and benefits always have to be taken into account. The presented scenario is quite low probable and poses rather low risk. In some cases it might be reasonably to give such bug low priority or even accept the risk. Nonetheless, surely it was fun to find it.