Grav security is broken

This blog is running on Grav, a file based CMS that allows me to write articles in Markdown and is pretty lightweight. Those are actually some of the reasons that lead me to choose Grav instead of WordPress, because i'd be able to run it with less hardware resources and hopefully have a simpler switch to a static site generator, should i ever want to try out that approach.

Sadly, it seems like things aren't so simple and that you can't really buy into to all of the claims that are made on its website:

grav-security-is-broken

Professionals, huh? So how come for a little while, my site's header had "Hacked by tokeichun" appended to it?

grav-hacked-header

Pretty alarming, eh? Well, not really, just disappointing. While there is no actually important data on this instance and i have backups (currently diffing two different ones to see what's changed and to really explore that breach), it's the fact that even simple software like this has exploits that is worrying.

You see, there was precisely one thing that i expected of its admin login page. To prevent other people from logging in and doing write operations through the admin plugin, since the password is randomly generated and so long that it should be secure:

grav-admin-page

I'm upset about the fact that in the current day and age, it's not enough to rely on mechanisms like this, because even though they make sense by themselves, it's everything around them that is brittle. How are we supposed to ever talk about having secure software, if we cannot even get this much right? Thus, it becomes some silly arms race of seeing who's faster: the hackers, or the developers, who will push out more and more patches for their insecure and unreliable code, hoping to somehow address the numerous shortcomings and problems with it.

And there's approx. 0% chance that every user out there will be able to keep in line with these updates and fix everything in time - just look at the Log4Shell debacle and how updating a single dependency in all of the projects ruined many folks weekends! That's how you end up with people who run everything in their internal networks, since a zero-trust model just isn't viable. That's how you end up having to cut off entire URL groups either by limiting what IPs can access them, or by adding additional security mechanisms:

grav-admin-basicauth

And let me tell you: that still won't be enough. Sooner or later, more ways will be found around your measures and so the hamster wheel will keep on spinning. Someone might instantly ask me whether i have the very latest updates. The answer to that will be "no", since the day when "basic login functionality now works and doesn't allow ways around it" is added to patch notes of some update will be the day when software will be inevitably screwed. A fair critique then could be asking me: "Well, what did you expect?"

The answer to that is simple:

if request.to_admin_path:
  if request.authenticated_as_admin:
    request.permit()
  else:
    request.deny()
else:
  ...

Either way, thanks to tokeichun for hacking the site in the first place (at least in the simple capacity of changing the header), i'll have at least a little fun figuring out how to diff the backups properly and whatnot. Seems like quite a few sites out there have this vulnerability, because while Shodan doesn't turn up much, even a simple search with DuckDuckGo turns up many results like that.

Update

After a brief review of the backups and diffing them, it really seems like the only thing that was changed was the site title:

backups-compared

(in case anyone is wondering, the software used is Meld)

It happened sometime yesterday, because no older version is affected. Now, with most regular systems or servers this would mean having to wipe the entire install and carry over data on a case by case basis, because once something is compromised, typically you have no idea what else could have been changed. Of course, this has no important data in it and runs in a container with limited disk access and limited resources, so i might as well leave it.

You know, i'll also leave this shoutout here, because it seems like that's what the person was after.