Vulnerability in content management system opened the door to unauthenticated exploitation

A recently resolved vulnerability in GravCMS created a means for unauthenticated attackers to hijack admin functions on vulnerable content management systems, among other potential exploits.

The critical flaw, which posed a remote code execution (RCE) risk, was discovered by Mehmet Ince during a penetration test last month and subsequently reported to both the client and developers of GravCMS.

The flaw – tracked as CVE-2021-21425 – was resolved on 6 April 2021, allowing the security researcher to publish a technical write-up of his main findings.

Users are advised to upgrade to GetGrav 1.10.8, a patched version of the software release earlier this week, in order to guard against potential pwnage.

According to public data, there are around 20,000 websites that use GravCMS, a PHP-based open source package.

Unauthenticated exploitation risk

Ince discovered that in earlier versions of the software, an unauthenticated user could execute some methods of administrative control without needing any credentials because of flaws in the coding of the Grav Admin Plugin.

“Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system,” Ince told The Daily Swig.

“Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc.”

“Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user,” Ince added.

The vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.

Matias Griese, a developer on the core GravCMS team, commented: “Admin 1.10.8 prevents the described attack, and the next version should make it impossible to use the methods described in the article to find another way in.”

Lessons to be learned

Istanbul-based Ince told The Daily Swig that the discovery of the flaw offered lessons for other software developers.

“The root cause of that vulnerability is related to the method invocation design of the GrabCMS controllers,” Ince explained.

“A very basic mistake about naming one of the methods made the whole attack possible. In other words, one critical method of the class has become accessible via HTTP without authentication just because of basic mistakes.”

The error illustrated the importance to have a “solid and secure design architecture approach” towards designing software, Ince concluded.


YOU MAY ALSO LIKE PHP maintainers release post-mortem report after backdoor planted in Git repo