Static Code Injection in gibbonedu/core

Valid

Reported on

Jan 22nd 2022


Description

The file export.php accepts a directory in the q parameter. We can upload a txt file in the server with our php exploit on it and pass its location in the q parameter, then the php exploit in the uploaded txt file will be executed

Proof of Concept

1. Upload a txt file. Inside the txt file, put <?php phpinfo(); ?>. There are alot of functionality that allow file upload and one of them is in making lesson planners
2. Copy the path and the name of the txt file
3. Go to localhost/export.php?q=/path/to/txtfile.txt
4. You will see that the phpinfo is executed.

Impact

Remote code execution

Occurrences

We are processing your report and will contact the gibbonedu/core team within 24 hours. 4 months ago
We have contacted a member of the gibbonedu/core team and are waiting to hear back 4 months ago
gibbonedu/core maintainer validated this vulnerability 4 months ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
noobexploiterhuntrdev
4 months ago

Researcher


Hi @admin , this seems to be fixed now, can i request for a cve for this as reserved and publish it after 3 months as the maintainer's request

Jamie Slome
4 months ago

Admin


As mentioned in the other report, we first require maintainers to confirm that they are happy for a CVE to be assigned.

Furthermore, we first expect a fix to be confirmed against the report before going ahead with this.

gibbonedu/core maintainer confirmed that a fix has been merged on 8d8495 4 months ago
The fix bounty has been dropped
export.php#L43 has been validated
gibbonedu/core maintainer
4 months ago

Maintainer


Hi there, we've confirmed the fix in our latest version of Gibbon and have notified our community that updating their installations should be a high priority.

As per our security policy, we ask that developers do no not immediately post security vulnerabilities in a CVE database. Many schools who use Gibbon may have limited funds or IT infrastructure and may only update once or twice a year. It's important to give our community ample time to update their systems before a vulnerability is posted on a public database. Once an issue has been patched and released to the community, we are open to posting these after a window of 3 months, to help ensure all systems are updated. We want to be sure to consider our schools and their capacity, to ensure we're putting their interests first.

noobexploiterhuntrdev
2 months ago

Researcher


Hello @admin , three months have now passed since i disclosed this, Perhaps we can request a cve now? Thanks

Jamie Slome
2 months ago

Admin


I believe that the maintainer has requested that we only publish a CVE once the FIX has been live for three months, not since the point of disclosure.

@maintainer - can you please confirm this?

to join this conversation