CVE-2023-34598
📋 TL;DR
CVE-2023-34598 is a Local File Inclusion vulnerability in Gibbon v25.0.0 that allows attackers to read sensitive files from the server's installation directory. This affects all Gibbon v25.0.0 installations, potentially exposing configuration files, credentials, and other sensitive data.
💻 Affected Systems
- Gibbon
📦 What is this software?
Gibbon by Gibbonedu
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read database credentials, configuration files, and other sensitive system files, leading to complete system compromise and data exfiltration.
Likely Case
Attackers will read configuration files containing database credentials and other sensitive information, enabling further attacks against the application and database.
If Mitigated
With proper file permissions and web server configuration, impact is limited to readable files within the web root, though sensitive configuration may still be exposed.
🎯 Exploit Status
Simple path traversal techniques can be used to include local files. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v25.0.1
Vendor Advisory: https://github.com/GibbonEdu/core/releases/tag/v25.0.1
Restart Required: No
Instructions:
1. Backup your Gibbon installation and database. 2. Download v25.0.1 from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the LFI vulnerability.
🔧 Temporary Workarounds
Web Server File Restriction
allConfigure web server to restrict access to sensitive directories and files
# For Apache: Add to .htaccess
<FilesMatch "\.(php|inc|conf|ini|log|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~* \.(php|inc|conf|ini|log|sql)$ {
deny all;
}
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all file inclusion parameters
- Move sensitive configuration files outside the web root directory
🔍 How to Verify
Check if Vulnerable:
Test if you can access sensitive files like config.php by manipulating file inclusion parameters in the applicationCheck Version:
Check the version.php file in your Gibbon installation or run: php -r "include 'version.php'; echo $version;"Verify Fix Applied:
After patching, attempt the same LFI techniques that previously worked - they should now be blocked or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Requests containing path traversal sequences (../, ..\, %2e%2e%2f)
- Access attempts to sensitive files like config.php, database.ini
Network Indicators:
- HTTP requests with suspicious file inclusion parameters
- Abnormal response sizes when requesting certain endpoints
SIEM Query:
web_access_logs | where url contains ".." or url contains "%2e%2e" or url contains "config" or url contains "database"