Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Grav is a CMS. It uses a stack with Twig, Symfony and Doctrine with an administration dashboard that allows managing the whole website (structure, pages, static resources, etc.). It has a focus on flat content, which includes Markdown and other easy to write in formats.

The author dug through the code and noticed that one piece of functionality named process.twig. This means that it will apply a Twig rendering pass on the content before serving the page. The rendering step is not sandboxed, at all.

In the Twig ecosystem, this means that any tag, filter, method and properties can be invoked during the rendering step. PHP functions are not mapped into Twig templates and must be explicitly declared. From previous research James Kettle showed on to register PHP functions from Twig.

A simple template like {{ system("id") }} will easily pop a shell after the function has been redeclared! Now, an author of content can pop a shell with template injection.

The second issue was a vulnerability in the permissions check for installing arbitrary extensions from the store. The issue was that user controlled data was used for part of an authorization check instead of only the user information itself! If the user had ANY administrative capabilities, this user provided data allowed them to bypass the mechanism in place. From there, they found a vulnerable package, installed it and popped a shell on the server.

Remediating the first vulnerability was complicated because they wanted to have backwards compatibility. So, they implemented a denylist of functions to prevent attacks. This is not ideal and I see a bypass coming the future. The second vulnerability was fixed by having a stricter authorization check.