| 标题 | Frappe Frappe LMS 2.35.0 Improper Access Controls |
|---|
| 描述 | FRAPPE LMS 2.35.0 – IMPROPER ACCESS CONTROLS ALLOWING UNAUTHORIZED FILE ACCESS
SUMMARY
Frappe LMS version 2.35.0 is vulnerable to improper access controls.
Files uploaded by students or instructors are accessible to unauthenticated users, allowing private assignment submissions to be retrieved without login.
VULNERABILITY DETAILS
In Frappe LMS, uploaded files are stored under the /files/ directory.
Assignments and course submissions, which should only be visible to instructors and students, are instead publicly accessible.
As a result, anyone who knows or guesses a file’s path can download it without authentication.
STEPS TO REPRODUCE
1. Log in as an administrator.
Navigate to:
http://127.0.0.1:8000/app/user?enabled=1
2. Create a student account.
- Add a new user.
- Assign the role: LMS Student
3. Create an assignment.
- Go to: http://127.0.0.1:8000/lms/assignments
- Create a new assignment with type set to Text
4. Create a course and attach the assignment.
- Navigate to: http://127.0.0.1:8000/lms/courses
- Create a course.
- Add a chapter to the course.
- Add the assignment you created as chapter content.
- Publish the course (optional, the vulnerability works even if unpublished).
5. Log in as the student.
- Open the course assignment page:
http://127.0.0.1:8000/lms/courses/MyGrandCourse/learn/2-1
6. Upload a file (e.g., an image).
- After uploading, right-click the file and open it in a new tab.
- The file will have a direct URL, for example:
http://127.0.0.1:8000/files/mypicture.jpeg
7. Access the file without authentication.
- Log out or open a private/incognito browser window.
- Paste the file URL (from step 6).
- The file is still accessible, even without logging in.
IMPACT
- Files that are expected to remain private between students and instructors are exposed publicly.
- Sensitive data in student submissions may be leaked.
- File paths are predictable, making enumeration attacks trivial.
RECOMMENDATION
- Enforce authentication and authorization checks on all file requests under /files/.
- Ensure that only authorized users (e.g., the file owner and course instructors) can access assignment submissions.
- Store uploaded files in a location that is not directly web-accessible, and serve them only after verifying permissions.
AFFECTED VERSION
- Frappe LMS v2.35.0
CREDITS
Reported by:
- 0xHamy (https://github.com/0xHamy)
- KhanMarshaI (https://github.com/KhanMarshaI)
|
|---|
| 来源 | ⚠️ https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1 |
|---|
| 用户 | 0xHamy (UID 88518) |
|---|
| 提交 | 2025-09-21 21時26分 (9 月前) |
|---|
| 管理 | 2025-10-04 11時23分 (13 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 327014 [Frappe LMS 2.35.0 Assignment Picture /files/ 权限提升] |
|---|
| 积分 | 20 |
|---|