CVE-2021-29440: 
PHP vulnerability analysis and mitigation

Grav CMS, a file-based Web-platform, was found to contain a critical vulnerability (CVE-2021-29440) that affects versions up to 1.7.10. The vulnerability allows authenticated users with page creation privileges to enable Twig processing of static pages through the front matter, which can lead to arbitrary code execution and privilege escalation on the instance. The issue was discovered in April 2021 and was patched in version 1.7.11 (Sonar Blog, GitHub Advisory).

The vulnerability stems from unsandboxed Twig template processing in the CMS. When users enable the process.twig directive in the front matter with 'twig: true', the rendering step runs without proper sandboxing, allowing any tag, filter, method, and properties to be invoked. The system includes a callback mechanism that registers unknown function calls, effectively permitting arbitrary PHP function execution through templates. This can be exploited using templates with commands like {{ system("id") }} to achieve code execution (Sonar Blog).

The vulnerability enables authenticated attackers with low privileges to execute arbitrary PHP code and system commands on the underlying server. This can lead to complete compromise of the website and its hosting server. The issue affects both recent and older versions of Grav CMS, including the two-year-old Grav 1.2.0 (Sonar Blog).

The vulnerability was addressed in Grav version 1.7.11 by preventing dangerous functions from being called in Twig templates. A configuration option was added to manually allow arbitrary PHP functions (system.twig.safefunctions) and filters (system.twig.safefilters). As a workaround, administrators can block access to the /admin path from untrusted sources to reduce the probability of exploitation (GitHub Advisory).