In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges.
This results in full administrative compromise of the Grav API.
The vulnerability is located in the API plugin's blueprint upload flow:
user/plugins/api/classes/Api/ApiRouter.php:261user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417user/plugins/api/classes/Api/Controllers/AuthController.php:41-55The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target.
When the request uses:
destination=self@:scope=users/anythingThe server resolves the write target to the shared account directory:
user/accounts/
The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super.
The required attacker privilege is low:
access:
api:
access: true
media:
write: true
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close
{"username":"uploader","password":"Upload123A"}
Extract:
UPLOADER_TOKEN = <access_token from response>
Attachment:
<img width="1480" height="825" alt="login-uploader"...
2.0.0-beta.4Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N