CVE-2024-24724
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Gibbon systems through server-side template injection in the messengerSettings.php file. Attackers can exploit unsanitized input passed to the Twig template engine to achieve remote code execution. All Gibbon installations up to version 26.0.00 are affected.
💻 Affected Systems
- Gibbon
📦 What is this software?
Gibbon by Gibbonedu
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, or pivot to other systems.
Likely Case
Unauthorized access to the server, data exfiltration, and potential deployment of ransomware or backdoors.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires authentication to access the School Admin module. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.0.01 or later
Vendor Advisory: https://gibbonedu.org/download/
Restart Required: No
Instructions:
1. Download the latest version from Gibbon's official website. 2. Backup your current installation and database. 3. Replace the vulnerable files with the patched version. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Disable School Admin Module
linuxTemporarily disable the vulnerable module to prevent exploitation
mv /path/to/gibbon/modules/School\ Admin /path/to/gibbon/modules/School\ Admin.disabled
Restrict Access to messengerSettings.php
allBlock access to the vulnerable file using web server configuration
# Apache: <Location "/modules/School Admin/messengerSettings.php"> Require all denied </Location>
# Nginx: location ~ /modules/School\ Admin/messengerSettings\.php { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Gibbon from critical systems
- Deploy a web application firewall with specific rules to block template injection attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Gibbon version is 26.0.00 or earlier by examining the version file or admin interfaceCheck Version:
cat /path/to/gibbon/version.php | grep 'gibbonVersion'Verify Fix Applied:
Verify the installed version is 26.0.01 or later and check that the messengerSettings.php file has been updated📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /modules/School%20Admin/messengerSettings.php
- Twig template errors containing user input
- Unexpected system command execution from web process
Network Indicators:
- HTTP requests containing template injection payloads like {{7*7}} or {{system('id')}}
SIEM Query:
source="web_access.log" AND uri="/modules/School%20Admin/messengerSettings.php" AND (method="POST" OR status>=400)