huntr.dev Open in urlscan Pro
2600:9000:2045:2a00:14:bb32:5f00:93a1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

huntr
Open menu
/
Bounties 524 Community More

Responsible disclosure policy

FAQ

Contact us

Hacktivity

Leaderboard

Submit report Login

Logout

huntr
Close menu
/

--------------------------------------------------------------------------------

Bounties
Find your next target
Submission
Submit a report
Hacktivity
Browse public reports
Leaderboard
Our leaderboard

--------------------------------------------------------------------------------

Policy FAQ Contact us
Login


BROKEN ACCESS CONTROL IN FRANCOISJACQUET/ROSARIOSIS

0

Valid

Reported on

Feb 17th 2023

--------------------------------------------------------------------------------


VULNERABILITY

Broken Access Control


ISSUE DESCRIPTION:

• Access control is the way how a web application grants access to content and
functions to some users and not others.

• These checks are performed after authentication and govern what ‘authorized’
users are allowed to do.

• Jeffrey discovered that when a student submit an assignment and attached any
files in the school management system of rosariosis, the uploaded files have no
restrictions. Any files uploaded and stored are retrievable and can be access
without a credentials.


STEPS TO REPRODUCE

`1. Login as as a student account:

https://www.rosariosis.org/demonstration/

`2. Under Grades Tab - > Assignments -> Add and subtract (Title) - then you'll
see that there's an upload function.

`3. Student can upload any files and retrieve as long as the student has the URL
path of the submitted files. Moreover, any files uploaded can be access without
a credentials.


UPLOADED PDF:

https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-17%2013_22_30.000000.pdf


POC VIDEO:

https://drive.google.com/file/d/1oWZoCE8hNUTzbT3rt9wmHA5U5XQYxd5f/view?usp=share_link


RECOMMENDATIONS:

• Jeffrey recommends to review the whole codebase for broken access control, the
following cheat sheet from OWASP provides more information:
https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html


IMPACT

Integrity Violation

We are processing your report and will contact the francoisjacquet/rosariosis
team within 24 hours. 19 days ago
Jeffrey G modified the report
19 days ago
Jeffrey G modified the report
19 days ago
We have contacted a member of the francoisjacquet/rosariosis team and are
waiting to hear back 18 days ago
Jeffrey G
commented 18 days ago

Researcher

--------------------------------------------------------------------------------

Latest uploaded pdf:

https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-18%2015_32_55.000000.pdf

François Jacquet validated this vulnerability 17 days ago

Hello @jeffreygaor

Thank you for your report. I have fixed the filename generation for PHP<7, so
the microseconds are correctly added (the .000000 part). This was due to a bug
in PHP5 and the DateTime() object.

Jeffrey G has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 10.8.2 with commit 630d3e 17 days ago
François Jacquet has been awarded the fix bounty
This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 24th 2023
Jeffrey G
commented 17 days ago

Researcher

--------------------------------------------------------------------------------

Hi François Jacquet,

It was my pleasure to secure your Information System for school management.

Cheers!

Jeffrey

François Jacquet published this vulnerability 13 days ago
Sign in to join this conversation
CVE

CVE-2023-0994 (published)
Vulnerability Type
CWE-284: Improper Access Control
Severity
High (8.1)
Attack vector Network
Attack complexity High
Privileged required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Open in visual CVSS calculator
Registry
Other
Affected Version


Latest

Visibility
Public
Status
Fixed

Found by

Jeffrey G
@jeffreygaor
pro


Fixed by

François Jacquet
@francoisjacquet
unranked

This report was seen 495 times.
We are processing your report and will contact the francoisjacquet/rosariosis
team within 24 hours. 19 days ago
Jeffrey G modified the report
19 days ago
Jeffrey G modified the report
19 days ago
We have contacted a member of the francoisjacquet/rosariosis team and are
waiting to hear back 18 days ago
Jeffrey G
commented 18 days ago

Researcher

--------------------------------------------------------------------------------

Latest uploaded pdf:

https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2022/Quarter6/Teacher2/mathematics%206_1_student%20s%20student_2023-02-18%2015_32_55.000000.pdf

François Jacquet validated this vulnerability 17 days ago

Hello @jeffreygaor

Thank you for your report. I have fixed the filename generation for PHP<7, so
the microseconds are correctly added (the .000000 part). This was due to a bug
in PHP5 and the DateTime() object.

Jeffrey G has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 10.8.2 with commit 630d3e 17 days ago
François Jacquet has been awarded the fix bounty
This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 24th 2023
Jeffrey G
commented 17 days ago

Researcher

--------------------------------------------------------------------------------

Hi François Jacquet,

It was my pleasure to secure your Information System for school management.

Cheers!

Jeffrey

François Jacquet published this vulnerability 13 days ago
Sign in to join this conversation

2022 © 418sec




HUNTR

 * home
 * hacktivity
 * leaderboard
 * FAQ
 * contact us
 * terms
 * privacy policy


PART OF 418SEC

 * company
 * about
 * team



Chat with us