Tracking down security bugs in web applications is an exciting task. It’s especially rewarding when a fast growing open source solution is on the workbench. An example of such is Grav CMS — the most starred php-based CMS on github rapidly increasing its users base.
This article is a first of the three-part series that will describe a few security issues I’ve discovered and disclosed. Each article from the series will describe a different type of security issues. This one is about the well known XSS.
All the testing I did was performed on Grav 1.5.1 with at least one admin account and one user account created.
Let’s start from the end with an example of successful injection request. To make such a request one has to have a user account with page creation privilege enabled.
Following the server's response redirection we get:
OK, so we have at least reflected XSS. After taking a little bit more look at the application it came out that injected payload is stored in the database and used on a few subpages, examples being home page visited by all guests:
and page listing in admin panel, typically used by admin or users with create page privileges.
The Grav Team response for the bug disclosure was fast and professional. After a short investigation it came up, that they’re aware of the few XSS issues and has been working on a generic solution. The next release with fix was promised to be delivered within two weeks. Indeed, Grav 1.5.2 with added "XSS protection" feature was released on the 1st of October, 2018.