Password reset vulnerabilities in Grav CMS

What is Grav CMS

In the digital age, the security of web applications is a paramount concern, particularly when it comes to content management systems that power a significant portion of the internet. Grav CMS, a modern open-source flat-file CMS, is known for its flexibility and user-friendly approach. However, like any software, it is not immune to security vulnerabilities. This blog post delves into some of the critical security concerns discovered in Grav CMS, specifically focusing on its password reset functionality and how it can be exploited using common vulnerabilities such as predictable tokens and Host Header poisoning.

Password Reset issue #1 – insecure token generation

The first thing we did was to check how they generate the password reset tokens. When reviewing LoginController.php file we noticed that the password reset token uses insecure crypto functions such as uniqid() and mt_rand(). We’ve wrote previously about these functions and how to exploit these in our Concrete CMS exploit . Yes, md5() is not a great choice, however there isn’t any type juggling vulnerability here (using == instead of ===).

Password Secure token uses pseudo random crypto functions

Password reset issue #2 Host Header poisoning

One of the most common vulnerabilities that plague the password reset process in PHP apps is Host Header poisoning. By sending a password reset request with a spoofed Host Header we can often trick the application to send a password reset link incorporating our hostname.

password reset issue #2 Host Header poisoning

As you can see in the email we’ve received we were able to change the host header. In this case it is very obvious that the domain is wrong, it is our very own domain, however an attacker could use an ip address and make it less obvious. When the victim clicks on the link the token is leaked to the attacker’s server who can now takeover the account.

password reset issue #2 malicious password reset link

Conclusion

Exploring Grav CMS’s security vulnerabilities reveals the need for continual vigilance and hygiene in web development. Although Grav CMS provides a robust platform, our findings stress the importance of secure coding, especially in critical functions like authentication. Developers must prioritize using secure cryptographic functions and sanitizing inputs to protect against various security threats. This case study highlights specific security pitfalls and reminds developers to continuously update and test their applications against emerging threats.

References

https://github.com/getgrav/grav-plugin-login/blob/develop/CHANGELOG.md#04162024

Timeline

10/04/2024 – vulnerabilities disclosed to the vendor

16/04/2024 – vulnerabilities fixed

20/05/2024 – blog published

About Post Author