New Security Research: Code Execution vulnerabilities in Grav CMS, NoSQL injections in Rocket.Chat

We recently published two blog posts describing vulnerabilities we found in Grav CMS, a famous flat-file PHP CMS, and Rocket.Chat, a JavaScript solution for team communication adopted by numerous companies and open-source communities. Don’t hesitate to dive into these articles, in which we describe the technical root causes of these bugs, their exploitation and the fixes that were published. We’ll also be happy to answer your questions in this thread!

Code Execution vulnerabilities in Grav CMS 1.7.10 (CVE-2021-29439, CVE-2021-29440)

In the lineage of most recent flat-file PHP CMS, Grav CMS is a modern web platform to build fast, safe and extensible websites. It uses a modern technology stack with Twig, Symfony and Doctrine, and offers an administration dashboard that allows managing the whole website (structure, pages, static resources, etc.). It was voted as “Best Flat File CMS” in 2017 and 2019 and is rapidly gaining traction with over 12k Github stars.

As simplicity and security are often key arguments when choosing flat-file CMS, we recently pursued some security research on Grav 1.7.10 and discovered two interesting vulnerabilities in the core and the dashboard (respectively CVE-2021-29440 and CVE-2021-29439). These issues can be exploited by authenticated attackers with low privileges, and allow them to execute arbitrary code and commands on the underlying server.

We responsibly reported the following security-relevant bugs to the vendor, who quickly released version 1.7.11 to address them:

  • Improper authorization checks that can allow a low-privileged authenticated user to install arbitrary plugins;

  • A dangerous configuration of the Twig templating engine that can lead to the execution of PHP code, exploitable by users allowed to create or edit pages on the instance.

In this new publication, we will discuss the root cause of these two bugs, how they can be exploited by attackers to gain code execution, and how the vulnerable code was patched.

Read the blog post: Grav CMS 1.7.10 - Code Execution Vulnerabilities

NoSQL Injections in Rocket.Chat 3.12.1 (CVE-2021-22911)

Rocket.Chat is one of the most popular open source solutions for team communication, written in JavaScript and TypeScript. It has more than 12 million users worldwide and there are over 800,000 server instances deployed that are being used to exchange confidential information and files. We discovered critical vulnerabilities in its source code that could have been used by an attacker to take complete control over a server, starting with as little as any user’s email address.

In this blog post we investigate these vulnerabilities by first taking a quick look at NoSQL databases, then explaining how injections look like in that context. We then analyze the found vulnerabilities and how they can be chained for an exploit. Finally we give advice on how to prevent such bugs in your applications.

Read the blog post: NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket