CVE-2023-50982
📋 TL;DR
This vulnerability in Stud.IP learning management system allows attackers to upload malicious files through cross-site scripting (XSS) due to insufficient file extension validation. Successful exploitation leads to remote code execution with www-data user privileges. All Stud.IP installations running versions 5.x through 5.3.3 are affected.
💻 Affected Systems
- Stud.IP
📦 What is this software?
Stud.ip by Studip
Stud.ip by Studip
Stud.ip by Studip
Stud.ip by Studip
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, and pivot to other systems on the network.
Likely Case
Attackers upload web shells or malware to gain persistent access, deface websites, or steal user credentials and academic data.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and network segmentation in place.
🎯 Exploit Status
Exploitation requires authenticated access to the admin interface. The vulnerability chain involves XSS leading to file upload bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.4, 5.2.6, 5.1.7, or 5.0.9
Vendor Advisory: https://gitlab.studip.de/studip/studip/-/tags
Restart Required: Yes
Instructions:
1. Backup your Stud.IP installation and database. 2. Download the patched version from the official repository. 3. Replace the affected files or perform a complete upgrade. 4. Restart the web server (Apache/Nginx). 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
File Upload Restriction
linuxImplement server-side file extension validation for all uploads
# Configure web server to block executable file uploads
# Example Apache: <Location /upload>
# SetEnvIf Request_URI "\.(php|exe|sh|pl)" block_upload
# Deny from env=block_upload
# </Location>
WAF Rule Implementation
allDeploy web application firewall rules to block malicious file uploads
# ModSecurity rule example:
# SecRule FILES_TMPNAMES "@rx \.(php|exe|sh|pl)$" \
# "id:1001,phase:2,deny,msg:'Blocked executable upload'"
#
# Or use commercial WAF solutions with file upload protection
🧯 If You Can't Patch
- Disable file upload functionality in Admin_SmileysController if not required
- Implement strict file type validation at the application level before any file processing
🔍 How to Verify
Check if Vulnerable:
Check Stud.IP version in admin interface or by examining source files. Versions 5.0.0 through 5.3.3 are vulnerable.Check Version:
Check Stud.IP admin dashboard or examine /path/to/studip/VERSION fileVerify Fix Applied:
Verify version is 5.3.4, 5.2.6, 5.1.7, or 5.0.9. Test file upload functionality with malicious extensions to ensure they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with executable extensions
- Multiple failed upload attempts
- Admin interface access from unusual IPs
- Web server errors related to file processing
Network Indicators:
- POST requests to upload_action or edit_action endpoints with executable files
- Unusual outbound connections from web server
SIEM Query:
source="web_server" AND (uri="*upload_action*" OR uri="*edit_action*") AND (file_extension="php" OR file_extension="exe" OR file_extension="sh" OR file_extension="pl")