yungifez Skuul School Management System EXIF Metadata Information Disclosure Vulnerability

A vulnerability in yungifez Skuul School Management System versions through 2.6.5 allows for information disclosure via retained EXIF metadata in uploaded images. The Image Handler component does not strip metadata from profile photos, leaving sensitive information such as GPS coordinates, device details, and personal data accessible to other users and administrators. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information embedded in image EXIF data, including GPS location, device specifications, and personal identifiers, potentially violating privacy regulations such as GDPR.

Reproduction

To reproduce this vulnerability, log into Skuul and navigate to the user profile page. Upload a profile photo containing EXIF metadata, such as one with GPS coordinates. After saving the image, download it and use an online EXIF viewer to check for retained metadata. The presence of sensitive information, like GPS data and device details, indicates successful exploitation.

Remediation

It is recommended to implement server-side stripping of EXIF metadata from all uploaded images, ensuring that only sanitized versions are stored and served. This EXIF sanitization should be applied across all platform modules, with periodic reviews of existing files to remove any sensitive metadata.