MarkUs Insecure Direct Object Reference Vulnerability in Submission File Access

A vulnerability allowing arbitrary access to submission files has been identified in MarkUs versions prior to 2.9.1. The issue arises in the 'courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content' endpoint, which accepted a 'select_file_id' parameter to retrieve 'SubmissionFile' objects. This parameter was not properly scoped to the requesting user, enabling access to any submission file by its ID, thus compromising the confidentiality of the files.

Impact

Exploitation of this vulnerability allows any authenticated user to access submitted files, bypassing authorization controls and leading to unauthorized disclosure of information.

Reproduction

To reproduce this vulnerability, send a request to the 'courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content' endpoint with a 'select_file_id' parameter. The request can be made by any authenticated user, regardless of their role or permissions. If the 'select_file_id' corresponds to a submission file ID, the file's contents will be returned, demonstrating the unauthorized access.

Remediation

Users can upgrade to MarkUs version 2.9.1 or later, where this vulnerability has been fixed.