Privilege escalation with XSS in Grav CMS
Tracking down security bugs in web applications is an exciting task. It’s especially rewarding when a fast growing open source solution is on the workbench. An example of such is Grav CMS — the most starred php-based CMS on github rapidly increasing its users base.
This article is a first of the three-part series that will describe a few security issues I’ve discovered and disclosed. Each article from the series will describe a different type of security issues. This one is about the well known XSS.
All the testing I did was performed on Grav 1.5.1 with at least one admin account and one user account created.
Let’s start from the end with an example of successful injection request. To make such a request one has to have a user account with page creation privilege enabled.
Following the server's response redirection we get:
One can notice, that there is an HTML with JavaScript code that will run. However, what’s most interesting, it won’t be the code within <script> tags which I couldn’t get a control of (it’s a leftover of HTML code from the page). Even though it’ll be treated as JavaScript it won’t do anything since it’s an HTML, and thus not valid JavaScript (one can see that it starts with user1</option>). To overcome such an obstruction I used src and onerror attributes of script tag and uploaded the malicious payload using the onerror’s value. This, of course, has some limitations, as one might not be able to use larger payload. However, in the tested Grav instance, a quick check proven, that it was possible to inject 10000 characters long payload.
OK, so we have at least reflected XSS. After taking a little bit more look at the application it came out that injected payload is stored in the database and used on a few subpages, examples being home page visited by all guests:
and page listing in admin panel, typically used by admin or users with create page privileges.
So finally, we have a stored XSS with the JavaScript that will be run in the contexts of all visitors as well as admins making an action on their behalf giving us classical privilege escalation.
The Grav Team response for the bug disclosure was fast and professional. After a short investigation it came up, that they’re aware of the few XSS issues and has been working on a generic solution. The next release with fix was promised to be delivered within two weeks. Indeed, Grav 1.5.2 with added "XSS protection" feature was released on the 1st of October, 2018.
