CVE-2024-38530
📋 TL;DR
CVE-2024-38530 is an unauthenticated arbitrary file upload vulnerability in Open eClass's H5P module that allows attackers to upload malicious files to the server. This can lead to remote code execution since uploaded files are internet-accessible. All Open eClass installations with vulnerable H5P modules are affected.
💻 Affected Systems
- Open eClass (formerly GUnet eClass)
📦 What is this software?
Openeclass by Openeclass
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Webshell deployment leading to data exfiltration, credential harvesting, and further exploitation of the server.
If Mitigated
File upload blocked or sanitized, preventing malicious payload execution.
🎯 Exploit Status
Exploit requires simple HTTP requests to upload malicious files like PHP webshells.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.16
Vendor Advisory: https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg
Restart Required: No
Instructions:
1. Backup your Open eClass installation and database. 2. Download Open eClass version 3.16 or later. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing file upload functionality.
🔧 Temporary Workarounds
Disable H5P Module
allTemporarily disable the vulnerable H5P module to prevent exploitation.
# Edit Open eClass configuration to disable H5P module
# Consult Open eClass documentation for module disabling procedure
Web Server File Restriction
linuxConfigure web server to block execution of uploaded files in H5P directories.
# For Apache: Add to .htaccess in upload directory
RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp
AddType text/plain .php .phtml .php3 .php4 .php5 .php7 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp
🧯 If You Can't Patch
- Implement strict web application firewall rules to block file upload requests to H5P endpoints.
- Monitor file upload directories for suspicious files and implement real-time alerting.
🔍 How to Verify
Check if Vulnerable:
Check if Open eClass version is below 3.16 and H5P module is enabled. Attempt to upload a test file via H5P save functionality.Check Version:
# Check Open eClass version in admin panel or via: grep -r 'version' /path/to/openeclass/config/ filesVerify Fix Applied:
After patching, verify version is 3.16 or higher and test that arbitrary file uploads are blocked in H5P module.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to H5P directories
- HTTP POST requests to H5P save endpoints from unauthenticated users
- Execution of uploaded files (e.g., .php, .jsp) from upload directories
Network Indicators:
- HTTP requests with file uploads to paths containing 'h5p' or 'save' from external IPs
- Unusual outbound connections from web server post-upload
SIEM Query:
source="web_server_logs" AND (url="*h5p*save*" OR url="*upload*" AND user_agent="*") AND status=200