Gibbon Path Traversal Vulnerability Leading to Denial-of-Service

A path traversal vulnerability has been identified in Gibbon versions prior to v30.0.01. This vulnerability allows users with Teacher or higher privileges to manipulate file paths in a way that disrupts normal application operations. Specifically, the issue arises during the report archiving process, where uploaded ZIP files are extracted and then deleted. If the extraction fails, the deletion still occurs, creating a denial-of-service condition. Additionally, the vulnerability can be exploited to execute PHP code by uploading a ZIP file containing a maliciously named PHP file, which is then processed by the application.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the web application to become unavailable. Furthermore, the path traversal can be combined with local file inclusion to achieve remote code execution, as demonstrated in the same version of Gibbon.

Reproduction

To reproduce this vulnerability, upload a ZIP file through the report archiving feature, ensuring it contains a PDF that matches a student. After the file is uploaded, intercept the request to confirm the import and replace the path with a traversal that deletes a PHP file. This will trigger the extraction process, delete the file, and cause a denial-of-service condition.

Remediation

Users are advised to update to Gibbon version v30.0.01, which addresses this vulnerability.