Improper File Deletion in francoisjacquet/rosariosis

Valid

Reported on

May 2nd 2022


Description

A student uploaded a file when submitting an assignment. Then, if a teacher deletes that assignment, the attachment is still remained on the server and if anyone has the link to that file, he can access to it to view or download it.

Steps to reproduce

Login to the demo environment by student account.
In the left menu, go to GRADES -> Assignments.
Click on Add and subtract assignment.
Click Choose file and upload any file.
Click on SUBMIT ASSIGNMENT.
Copy the link to the uploaded file.

Then Login to the demo environment by teacher account.
In the left menu, go to GRADES -> Assignments.
Delete the Add and subtract assignment.

Now access the link to the uploaded file above, you can see that you are still able to view or download it as it is still remained on the server.

Impact

It can affect the confidential of the file a student uploaded. Besides, if the file size is large (I know it can be maximum 128 MB), when the server contains some large files, it can make the server slower when loading that affect the user experience (like DoS vulnerability).

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 22 days ago
KhanhCM modified the report
22 days ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 21 days ago
François Jacquet validated this vulnerability 20 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on eb878a 20 days ago
François Jacquet has been awarded the fix bounty
Assignments.php#L380-L397 has been validated
Assignments.php#L441-L458 has been validated
Assignments.php#L349-L374 has been validated
Assignments.php#L414-L431 has been validated
to join this conversation