huntr.dev
Open in
urlscan Pro
2600:9000:2045:2a00:14:bb32:5f00:93a1
Public Scan
URL:
https://huntr.dev/bounties/a281c586-9b97-4d17-88ff-ca91bb4c45ad/
Submission: On March 08 via api from US — Scanned from DE
Submission: On March 08 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
huntr Open menu / Bounties 524 Community More Responsible disclosure policy FAQ Contact us Hacktivity Leaderboard Submit report Login Logout huntr Close menu / -------------------------------------------------------------------------------- Bounties Find your next target Submission Submit a report Hacktivity Browse public reports Leaderboard Our leaderboard -------------------------------------------------------------------------------- Policy FAQ Contact us Login BROKEN ACCESS CONTROL IN FRANCOISJACQUET/ROSARIOSIS 0 Valid Reported on Feb 17th 2023 -------------------------------------------------------------------------------- VULNERABILITY Broken Access Control ISSUE DESCRIPTION: • Access control is the way how a web application grants access to content and functions to some users and not others. • These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. • Jeffrey discovered that when a student submit an assignment and attached any files in the school management system of rosariosis, the uploaded files have no restrictions. Any files uploaded and stored are retrievable and can be access without a credentials. STEPS TO REPRODUCE `1. Login as as a student account: https://www.rosariosis.org/demonstration/ `2. Under Grades Tab - > Assignments -> Add and subtract (Title) - then you'll see that there's an upload function. `3. Student can upload any files and retrieve as long as the student has the URL path of the submitted files. Moreover, any files uploaded can be access without a credentials. UPLOADED PDF: https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-17%2013_22_30.000000.pdf POC VIDEO: https://drive.google.com/file/d/1oWZoCE8hNUTzbT3rt9wmHA5U5XQYxd5f/view?usp=share_link RECOMMENDATIONS: • Jeffrey recommends to review the whole codebase for broken access control, the following cheat sheet from OWASP provides more information: https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html IMPACT Integrity Violation We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 19 days ago Jeffrey G modified the report 19 days ago Jeffrey G modified the report 19 days ago We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 18 days ago Jeffrey G commented 18 days ago Researcher -------------------------------------------------------------------------------- Latest uploaded pdf: https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-18%2015_32_55.000000.pdf François Jacquet validated this vulnerability 17 days ago Hello @jeffreygaor Thank you for your report. I have fixed the filename generation for PHP<7, so the microseconds are correctly added (the .000000 part). This was due to a bug in PHP5 and the DateTime() object. Jeffrey G has been awarded the disclosure bounty The fix bounty is now up for grabs The researcher's credibility has increased: +7 François Jacquet marked this as fixed in 10.8.2 with commit 630d3e 17 days ago François Jacquet has been awarded the fix bounty This vulnerability has been assigned a CVE This vulnerability is scheduled to go public on Feb 24th 2023 Jeffrey G commented 17 days ago Researcher -------------------------------------------------------------------------------- Hi François Jacquet, It was my pleasure to secure your Information System for school management. Cheers! Jeffrey François Jacquet published this vulnerability 13 days ago Sign in to join this conversation CVE CVE-2023-0994 (published) Vulnerability Type CWE-284: Improper Access Control Severity High (8.1) Attack vector Network Attack complexity High Privileged required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability High Open in visual CVSS calculator Registry Other Affected Version Latest Visibility Public Status Fixed Found by Jeffrey G @jeffreygaor pro Fixed by François Jacquet @francoisjacquet unranked This report was seen 495 times. We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 19 days ago Jeffrey G modified the report 19 days ago Jeffrey G modified the report 19 days ago We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 18 days ago Jeffrey G commented 18 days ago Researcher -------------------------------------------------------------------------------- Latest uploaded pdf: https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-18%2015_32_55.000000.pdf François Jacquet validated this vulnerability 17 days ago Hello @jeffreygaor Thank you for your report. I have fixed the filename generation for PHP<7, so the microseconds are correctly added (the .000000 part). This was due to a bug in PHP5 and the DateTime() object. Jeffrey G has been awarded the disclosure bounty The fix bounty is now up for grabs The researcher's credibility has increased: +7 François Jacquet marked this as fixed in 10.8.2 with commit 630d3e 17 days ago François Jacquet has been awarded the fix bounty This vulnerability has been assigned a CVE This vulnerability is scheduled to go public on Feb 24th 2023 Jeffrey G commented 17 days ago Researcher -------------------------------------------------------------------------------- Hi François Jacquet, It was my pleasure to secure your Information System for school management. Cheers! Jeffrey François Jacquet published this vulnerability 13 days ago Sign in to join this conversation 2022 © 418sec HUNTR * home * hacktivity * leaderboard * FAQ * contact us * terms * privacy policy PART OF 418SEC * company * about * team Chat with us