Improper File Deletion in francoisjacquet/rosariosis

Valid

Reported on

May 2nd 2022

Description

A student uploaded a file when submitting an assignment. Then, if a teacher deletes that assignment, the attachment is still remained on the server and if anyone has the link to that file, he can access to it to view or download it.

Steps to reproduce

Login to the demo environment by student account.
In the left menu, go to GRADES -> Assignments.
Click on Add and subtract assignment.
Click Choose file and upload any file.
Click on SUBMIT ASSIGNMENT.
Copy the link to the uploaded file.

Then Login to the demo environment by teacher account.
In the left menu, go to GRADES -> Assignments.
Delete the Add and subtract assignment.

Now access the link to the uploaded file above, you can see that you are still able to view or download it as it is still remained on the server.

Impact

It can affect the confidential of the file a student uploaded. Besides, if the file size is large (I know it can be maximum 128 MB), when the server contains some large files, it can make the server slower when loading that affect the user experience (like DoS vulnerability).

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
KhanhCM modified the report
a year ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
François Jacquet validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit eb878a a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
Assignments.php#L380-L397 has been validated
Assignments.php#L441-L458 has been validated
Assignments.php#L349-L374 has been validated
Assignments.php#L414-L431 has been validated
to join this conversation