Broken Access Control in francoisjacquet/rosariosis


Reported on

Feb 17th 2023


Broken Access Control

Issue Description:

• Access control is the way how a web application grants access to content and functions to some users and not others.

• These checks are performed after authentication and govern what ‘authorized’ users are allowed to do.

• Jeffrey discovered that when a student submit an assignment and attached any files in the school management system of rosariosis, the uploaded files have no restrictions. Any files uploaded and stored are retrievable and can be access without a credentials.

Steps to reproduce

`1. Login as as a student account:

`2. Under Grades Tab - > Assignments -> Add and subtract (Title) - then you'll see that there's an upload function.

`3. Student can upload any files and retrieve as long as the student has the URL path of the submitted files. Moreover, any files uploaded can be access without a credentials.

Uploaded PDF:

POC video:


• Jeffrey recommends to review the whole codebase for broken access control, the following cheat sheet from OWASP provides more information:


Integrity Violation

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
Jeffrey G modified the report
a month ago
Jeffrey G modified the report
a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
Jeffrey G
a month ago


Latest uploaded pdf:

François Jacquet validated this vulnerability a month ago

Hello @jeffreygaor

Thank you for your report. I have fixed the filename generation for PHP<7, so the microseconds are correctly added (the .000000 part). This was due to a bug in PHP5 and the DateTime() object.

Jeffrey G has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 10.8.2 with commit 630d3e a month ago
François Jacquet has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 24th 2023
Jeffrey G
a month ago


Hi François Jacquet,

It was my pleasure to secure your Information System for school management.



François Jacquet published this vulnerability a month ago
to join this conversation