LearnHouse Insecure Direct Object Reference Vulnerability in Assignment Submission Handling

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in LearnHouse Learning Management System (LMS) versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca. This vulnerability exists in the Student Assignment Submission Handler component, specifically within the API endpoint that handles assignment submission files. The issue arises because the server does not implement proper authentication or authorization checks when serving files from the content directory, allowing unauthorized access to sensitive academic materials. The vulnerability can be exploited remotely, and has been publicly disclosed with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability leads to unauthorized access to student assignment submissions, which may contain personal information and academic work. This access could be used for plagiarism, as it allows retrieval of files submitted by other students. Additionally, confidential academic materials, grades, and feedback could be exposed, potentially violating student data protection laws such as FERPA in the US and GDPR in the EU. Institutions using LearnHouse could also suffer reputational damage and legal liabilities due to this vulnerability.

Reproduction

To reproduce this vulnerability, first upload a file as a student through the assignment submission API. The server will respond with a file UUID that can be used to access the uploaded file via a direct URL, which does not require authentication. This URL can be accessed through a web browser or command-line tools like wget or curl.

Remediation

It is recommended to implement authentication checks for the content serving routes and to add authorization verification to ensure that only the rightful owner of a submission or an authorized instructor can access the files.