Skip to content

Instantly share code, notes, and snippets.

@thezeekhan

thezeekhan/skuul.md Secret

Created November 4, 2025 07:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thezeekhan/02f5255506080849fc732eea07008634 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thezeekhan/02f5255506080849fc732eea07008634 to your computer and use it in GitHub Desktop.
Download ZIP
MetaData
Raw
skuul.md

Skuul v2.6.5 – Sensitive Data Exposure in Uploaded Images

Summary

Skuul version 2.6.5 fails to sanitize or remove embedded EXIF metadata from uploaded images. When users upload profile photos the system stores and serves the original files without stripping metadata. This allows other users or administrators who can access or download these images to extract sensitive information, such as GPS location, device model, timestamps, and other personal data about the uploader.

Vulnerability Details

When an image is uploaded in Skuul via the profile photo the platform accepts and serves the file as-is, retaining the original EXIF metadata. This metadata may include:

  • GPS coordinates (latitude, longitude)
  • Device make, model, and serial information
  • Photo creation and modification timestamps
  • Camera owner or software details
  • User-defined tags or comments that may contain personal identifiers

Because this metadata remains intact and is retrievable by other users or anyone with access to the image URL, sensitive data exposure occurs. This could lead to privacy violations, location disclosure, or unintentional information leakage in educational or shared environments.

Steps to Reproduce

  1. Login to Skuul http://127.0.0.1:8000/login as a (Student, Teacher, Parent, Admin or Super Admin)
  2. Navigate to http://sk.htb:8000/user/profile
  3. Upload the Image contaning Meta Data such as (https://github.com/ianare/exif-samples/blob/master/jpg/gps/DSCN0010.jpg)
  4. Save the downloaded image locally.
  5. Open the image using any online EXIF viewer such as https://www.pic2map.com or https://exif.tools.
  6. Observe that sensitive EXIF data (like GPS coordinates and device information) is still present.

Impact

  • Disclosure of user’s location (via GPS metadata).
  • Leakage of personal or device information (e.g., phone model, camera details).
  • Violation of user privacy and institutional data protection policies.
  • Potential non-compliance with GDPR or similar privacy regulations.

Recommendation

  • Implement server-side EXIF stripping for all uploaded images.
  • Store and serve only sanitized image versions.
  • Apply EXIF sanitization across all modules (Profile, Assignments, Attachments, etc.).
  • Periodically review existing stored files to remove sensitive metadata.

Affected Version

  • Skuul v2.6.5

Credits

Zeeshan Khan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment