{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-plugin-form/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav-plugin-form"],"_cs_severities":["critical"],"_cs_tags":["grav","cms","file-upload","privilege-escalation","content-overwrite"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eThe Grav CMS Form plugin, specifically in versions prior to 9.1.0, contains a vulnerability allowing unauthenticated users to overwrite existing page content. This flaw resides in the file upload handling mechanism within \u003ccode\u003euser/plugins/form/classes/Form.php\u003c/code\u003e, where the filename of an uploaded file can be controlled via a POST request. The \u003ccode\u003eUtils::checkFilename()\u003c/code\u003e function insufficiently filters filenames, failing to block \u003ccode\u003e.md\u003c/code\u003e extensions. By exploiting this, an attacker can upload a malicious \u003ccode\u003e.md\u003c/code\u003e file, crafted to overwrite the content of an existing page. This enables attackers to inject arbitrary content, including YAML frontmatter, leading to privilege escalation by creating new administrator accounts. This vulnerability was tested on Form version 9.0.3, released on April 28th.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Grav page using the Form plugin with a file upload field that accepts all file types (\u003ccode\u003eaccept: ['*']\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e.md\u003c/code\u003e file containing YAML frontmatter designed to create a new administrator account (e.g., \u003ccode\u003eviaup.yaml\u003c/code\u003e as described in the PoC).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious \u003ccode\u003e.md\u003c/code\u003e file, setting the \u003ccode\u003efilename\u003c/code\u003e parameter in the POST request to match the target page\u0026rsquo;s content file name (e.g., \u003ccode\u003eform.md\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eForm::uploadFiles()\u003c/code\u003e function processes the upload, using the attacker-controlled filename to store the file in flash storage.\u003c/li\u003e\n\u003cli\u003eUpon form submission, \u003ccode\u003eForm::copyFiles()\u003c/code\u003e moves the uploaded file to its final destination, overwriting the original \u003ccode\u003e.md\u003c/code\u003e file of the target page.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the target page via a \u003ccode\u003eGET\u003c/code\u003e request, causing Grav to parse the newly overwritten \u003ccode\u003e.md\u003c/code\u003e file and its injected YAML frontmatter.\u003c/li\u003e\n\u003cli\u003eThe injected YAML frontmatter creates a new super-admin user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the credentials of the newly created super-admin user to log in and gain administrative control of the Grav CMS instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to overwrite existing page content, inject malicious code, and ultimately escalate their privileges to super-admin. This grants them complete control over the Grav CMS instance, potentially leading to data theft, website defacement, or further malicious activities. This vulnerability impacts any Grav page allowing file uploads with insufficiently restricted file types and can result in complete compromise of the Grav CMS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the remediation patch described in the advisory by upgrading to Grav Form plugin version 9.1.0 or later to address CVE-2026-42845.\u003c/li\u003e\n\u003cli\u003eImplement the provided code snippet within \u003ccode\u003euser/plugins/form/classes/Form.php\u003c/code\u003e to block uploads of sensitive page content file types (\u003ccode\u003e.md\u003c/code\u003e, \u003ccode\u003e.yaml\u003c/code\u003e, \u003ccode\u003e.yml\u003c/code\u003e, \u003ccode\u003e.json\u003c/code\u003e, \u003ccode\u003e.twig\u003c/code\u003e) to prevent page content overwrites.\u003c/li\u003e\n\u003cli\u003eAdd \u003ccode\u003emd, yaml, yml, json, twig, ini\u003c/code\u003e to the \u003ccode\u003esecurity.uploads_dangerous_extensions\u003c/code\u003e list in Grav\u0026rsquo;s configuration to prevent these file types from being processed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Grav Form Plugin Page Content Overwrite Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring for uploads of markdown or YAML files to the pages directory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to form submission endpoints that contain the \u003ccode\u003efilename\u003c/code\u003e parameter with values matching page content filenames (e.g., \u003ccode\u003eform.md\u003c/code\u003e, \u003ccode\u003edefault.md\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-grav-form-plugin-overwrite/","summary":"Grav Form plugin versions before 9.1.0 allow unauthenticated users to overwrite page content by uploading a malicious markdown file, leading to potential privilege escalation by crafting a new super-admin user.","title":"Grav Form Plugin Anonymous Page Content Overwrite Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-grav-form-plugin-overwrite/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav-Plugin-Form","version":"https://jsonfeed.org/version/1.1"}