Listen to this Post
This vulnerability occurs in the Grav admin panel’s language configuration. The `Supported` language parameter value is directly used to dynamically construct a regular expression within the `preg_match()` function on line 244 of Language.php. The input is not sanitized with `preg_quote()` or validated before being interpolated into the regex pattern. An attacker, such as an admin user or via CSRF, can submit a single forward slash (/) as the value. This slash is interpreted as the regex delimiter, causing the subsequent characters in the hardcoded pattern to be misread as invalid pattern modifiers. This triggers a fatal `preg_match(): Unknown modifier` warning. Because this regex is executed during fundamental language resolution, the error crashes the application completely, rendering all front-end and admin pages inaccessible and requiring filesystem access to fix the configuration.
Platform: Grav CMS
Version: 1.7.48
Vulnerability: DoS via Regex
Severity: Critical
date: 2024-10-XX
Prediction: 2024-11-15 Patch
What Undercode Say:
curl -X POST ‘https://target/admin/config/system’ -d “data[bash][supported]=/” –cookie “grav-admin-xxxx”
Payload for Supported field: /
Error location: /system/src/Grav/Common/Language/Language.php:244
How Exploit:
1. Authenticate as admin.
2. Navigate to System Config.
3. Inject slash payload.
4. Save causing crash.
Protection from this CVE
Apply input sanitization.
Use preg_quote().
Validate admin input.
Impact:
Full Application DoS.
Admin Lockout.
CSRF Exploitable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
