Static Code Injection in gibbonedu/core
Jan 22nd 2022
The file export.php accepts a directory in the q parameter. We can upload a txt file in the server with our php exploit on it and pass its location in the q parameter, then the php exploit in the uploaded txt file will be executed
Proof of Concept
1. Upload a txt file. Inside the txt file, put php phpinfo(); . There are alot of functionality that allow file upload and one of them is in making lesson planners 2. Copy the path and the name of the txt file 3. Go to localhost/export.php?q=/path/to/txtfile.txt 4. You will see that the phpinfo is executed.
Remote code execution
Hi @admin , this seems to be fixed now, can i request for a cve for this as reserved and publish it after 3 months as the maintainer's request
As mentioned in the other report, we first require maintainers to confirm that they are happy for a CVE to be assigned.
Furthermore, we first expect a fix to be confirmed against the report before going ahead with this.
Hi there, we've confirmed the fix in our latest version of Gibbon and have notified our community that updating their installations should be a high priority.
As per our security policy, we ask that developers do no not immediately post security vulnerabilities in a CVE database. Many schools who use Gibbon may have limited funds or IT infrastructure and may only update once or twice a year. It's important to give our community ample time to update their systems before a vulnerability is posted on a public database. Once an issue has been patched and released to the community, we are open to posting these after a window of 3 months, to help ensure all systems are updated. We want to be sure to consider our schools and their capacity, to ensure we're putting their interests first.
Hello @admin , three months have now passed since i disclosed this, Perhaps we can request a cve now? Thanks
I believe that the maintainer has requested that we only publish a CVE once the
FIX has been live for three months, not since the point of disclosure.
@maintainer - can you please confirm this?
Hi @admin I kinda forgot about this report but i believe its safe to assign a cve for this bug now
We do require the go-ahead from the maintainer.