Project

General

Profile

Security issues » History » Version 82

Yannick Warnier, 24/01/2021 12:12

1 1 Yannick Warnier
h1. Security issues
2
3 6 Yannick Warnier
{{>toc}}
4
5 26 Yannick Warnier
h2. Security track record
6
7
Chamilo LMS has a great track record for fixing reported security issues, working together with security actors, publishing fixes prior to the official publication of the vulnerabilities on official sites. 
8
9 67 Yannick Warnier
So far, in the history of the project (since late 2009), all (but one) vulnerabilities have been fixed less than 120h (5 days) after they were reported to us, and the process of code revision by packagers before inclusion (no unchecked plugin) has always been followed, making it *the most secure open source e-learning platform* to date.
10 26 Yannick Warnier
11 1 Yannick Warnier
You can see a graphical representation of the reports and fixes here (with corresponding links to check details): http://www.cvedetails.com/product/26528/Chamilo-Chamilo-Lms.html?vendor_id=12983 (navigate and check other LMSes to compare their security track record).
12 31 Yannick Warnier
13 67 Yannick Warnier
If you consider using another LMS, please (for your own sake) check its security track (sometimes, "months can pass before fixes are provided publicly":http://securitytracker.com/id/1029437).
14 26 Yannick Warnier
15 47 Yannick Warnier
Check [[Secure_development_policy]] for more info.
16 26 Yannick Warnier
17 17 Yannick Warnier
h2. Security flaws reporting procedure
18 1 Yannick Warnier
19 17 Yannick Warnier
If you have found a new security flaw in Chamilo, please send us an e-mail at security@chamilo.org and info@chamilo.org, including "Chamilo Vulnerability" in your topic line. We *will* respond quickly to these (usually within 24h), so if you don't receive an answer, please consider it might not have been received and send it again.
20
In the worst case, open an issue in this issues tracking system to call for our attention, but please do not publish the flaw until a patch has been developed.
21
22
h2. Security flaws fixing procedure
23
24
Security matters to us. A lot. So when we receive a security flaw report, we will treat it very quickly (usually in a matter of 1 to 4 days).
25
Our procedure is as follows:
26
# we will report these issues in a private part of this issue tracker
27
# one of us (developers) will be put in charge of providing a patch
28
# the developer will publish the patch in our source code repository (that's the first publication)
29
# if relevant credits information has been sent to us, we will add this information to the code and the commit message to 
30
31
h2. Security flaws publication procedure
32
33
# we will then prepare (and publish below) a full report and the corresponding patch to secure your platform. We will also provide the patch in the form of a zip to unzip into your Chamilo directory for the latest stable version
34
# if you don't use the latest version, you will have to upgrade first *or* apply the patch by yourself in your version
35
# we will send an e-mail to security@lists.chamilo.org and through our @chamilosecurity Twitter account
36
# if the security flaw has been passed to a security reporting authority, we will send them an e-mail
37
38 1 Yannick Warnier
h2. Reported flaws
39
40 82 Yannick Warnier
h3. Issue "#45" - 2021-01-21 - Moderate impact, moderate risk - Details coming...
41
42
Details coming...
43
44
* Fix for 1.11.x
45
pending
46
47
48 81 Yannick Warnier
h3. Issue "#44" - 2021-01-14 - Moderate impact, moderate risk - Cross Site Request Forgery in calendar
49
50
Chamilo LMS version 1.11.14 and prior contain a CSRF vulnerability that allows a user with permissions to edit calendar event (including personal agenda) to inject JS code that enable the CSRF vector to be exploited.
51
This requires privileged access, but could be abused by low-access level users if the proper conditions are met.
52
53
Thanks to Maheshkumar Darji for reporting the issue to us.
54
55
* Fix for 1.11.x
56
https://github.com/chamilo/chamilo-lms/commit/e4781a7d15aa4df1564be4bae5d5db554d2941c8
57
58 79 Yannick Warnier
h3. Issue "#43" - 2020-05-04 - Moderate impact, moderate risk - XSS in personal profile and messages
59 78 Yannick Warnier
60 80 Yannick Warnier
Chamilo LMS version 1.11.10 contains several additional XSS vulnerabilities in the personal profile edition form and the personal messaging, affecting the user him/herself and social network friends.
61 78 Yannick Warnier
62
Thanks to Emil Virkki for reporting the issue to us.
63
64
* Fix for 1.11.x
65
https://github.com/chamilo/chamilo-lms/commit/ce56951fc3c22178b1bb0b499fe8a3c108f8502d
66
https://github.com/chamilo/chamilo-lms/commit/c32499e239531f7e99f872d68827b6f7cc66146c
67
68 77 Yannick Warnier
h3. Issue "#42" - 2020-04-23 - High risk, low impact - XSS in extended user's profile fields
69
70
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends.
71
72
Thanks to Vu Van Tien for reporting the issue to us.
73
74
* Fix for 1.11.x
75
https://github.com/chamilo/chamilo-lms/commit/aced30eaed1cb491c44aec1c37d5b3fc1c28f434
76
77 76 Yannick Warnier
h3. Issue "#41" - 2020-04-22 - Medium risk, high impact - CSRF and privilege escalation via CSRF
78
79
Chamilo LMS version 1.11.10 contains a CSRF vulnerability and a privilege escalation vulnerability in the (administrative) user edition form. This requires specifically targeting an admin user
80
81
Thanks to Toản Đăng for reporting the issue to us.
82
83
* Fix for 1.11.x
84
https://github.com/chamilo/chamilo-lms/commit/bf50545e848805c9f123e6736eeba2edd7327bbc
85
86 73 Yannick Warnier
h3. Issue "#40" - 2019-04-14 - Low risk, moderate impact - XSS
87
88
Chamilo LMS version 1.11.8 contains an XSS vulnerability in the course forum titles.
89
90
Thanks to HexPandaa for reporting the issue to us.
91
92
* Fixes for 1.11.x
93
https://github.com/chamilo/chamilo-lms/commit/ee878212d691d2f3c6bab92002afb599846d3e0f
94
95 75 Yannick Warnier
h3. Issue "#39" - 2019-02-25 - High risk, high impact - RCE, File upload
96 72 Yannick Warnier
97 74 Yannick Warnier
Chamilo LMS version 1.11.8 contains a remote code execution and a file upload vulnerability, already moderated by the fix in issue 36, but still available to privileged users. You will need to run composer update once the patch is applied, as we use an additional external library to remove the flaw (PHP 5 does not allow for filtering of classes before unserialize).
98 72 Yannick Warnier
99
Thanks to 0xecute for reporting the issue to us.
100
101
* Fixes for 1.11.x (through a set of commits)
102
https://github.com/chamilo/chamilo-lms/pull/2821/files
103
104 71 Yannick Warnier
h3. Issue "#38" - 2018-12-17 - Low risk, high impact - XXE
105
106
This is a special case because the issue was reported on the 2018-12-17 but took an unusually long time to fix because it affected one of the libraries we use the most for XML parsing, with no other solution than to switch from one library to another for standard import formats.
107
108
We thank Pierre Pailleux for reporting the issue to us.
109
110
* Fixes for 1.11.x
111
https://github.com/chamilo/chamilo-lms/pull/2778 (this page contains a list of fixes that all need to be applied)
112
113
h3. Issue "#37" - 2018-12-18 - Low risk, moderate impact - XSS
114
115
This is a special case because the issue was reported on the 2018-12-18 and fixed almost immediately, but we forgot to report it.
116
Chamilo LMS version 1.11.8 contains an XSS vulnerability in the tickets module.
117
118
We thank Pierre Pailleux for reporting the issue to us.
119
120
* Fixes for 1.11.x
121
https://github.com/chamilo/chamilo-lms/tree/54d05c11b97b20e5286b9cb5ce9e9670a96d3c64
122
https://github.com/chamilo/chamilo-lms/tree/bec1fd1681fc1edf21e697a3b561897f7a3ea9f5
123
124
h3. Issue "#36" - 2019-02-25 - Moderate risk, high impact - Privilege escalation/RCE
125
126
Chamilo LMS version 1.11.8 contains a privilege escalation risk enabled by the existence of a flaw in the deprecated code of the text-to-speech module Nanogong. This one is tricky to apply through a Chamilo update because it requires the main/inc/lib/nanogong directory to be removed. If you are in developer mode, a simple "composer update" will remove the directory once you updated Chamilo to 1.11.10 or later.
127
128
Thanks to 0xecute for reporting the issue to us.
129
130
* Fixes for 1.11.x
131
https://github.com/chamilo/chamilo-lms/commit/2164d36f0b0f61f342dff08d7ef977634e05e876
132
133 69 Yannick Warnier
h3. Issue '#35" - 2019-01-23 - High risk, moderate impact - Unauthenticated personal data leak
134
135 70 Yannick Warnier
Chamilo LMS version 1.11.8 contains the following flaws (additional to the previously reported flaws):
136 69 Yannick Warnier
* 2 leaks of user firstname, lastname, picture and e-mail through an AJAX call, not requiring authentication
137
138
Thanks to 0xecute for reporting the issue to us.
139
140
* Fixes for 1.11.x
141
https://github.com/chamilo/chamilo-lms/commit/481267293eba109ae329ff201565577fcf5b2202
142
https://github.com/chamilo/chamilo-lms/commit/2937cf24cf6842c2f6ce9422028a1e5f9842ef09
143
https://github.com/chamilo/chamilo-lms/commit/e46377515fb33eb573c4bfcbcee173aac60c1393
144
https://github.com/chamilo/chamilo-lms/commit/40560f93229595bd1465c71e57abe0563b166597
145
https://github.com/chamilo/chamilo-lms/commit/1c82459f142e67636b9241cef1d46b2b927547dd
146 71 Yannick Warnier
https://github.com/chamilo/chamilo-lms/commit/c245b03308f8274b93f2a39e5435d5e9e4b6aecf
147 69 Yannick Warnier
148 68 Yannick Warnier
These security patches will be part of version 1.11.10 and versions 2.0 and up.
149
150
h3. Issue '#34" - 2019-01-14 - Moderate risk, moderate impact - XSS and unauthorized access
151
152
Chamilo LMS version 1.11.8 contains a few XSS vulnerabilities in the social messaging, and an XSS and an unauthorized access in the tickets reporting system. All require authenticated access, so we do not consider them a high risk or impact.
153
154
Thanks to João Arnaut, Dognaedis for reporting the issue to us.
155
156
* Fix for 1.11.x
157
https://github.com/chamilo/chamilo-lms/commit/33e2692a37b5b6340cf5bec1a84e541460983c03
158
159
These security patches will be part of version 1.11.10 and versions 2.0 and up.
160
161 67 Yannick Warnier
h3. Issue '#33" - 2018-12-13 - Moderate risk, high impact - SQL Injection
162
163
Chamilo LMS version 1.11.8 contains an SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. We recommend any administrator using sessions and having enabled the sessions catalogue to apply the patch ASAP.
164
165
We thank Pierre Pailleux for reporting the issue to us.
166
167
* Fix for 1.11.x
168
https://github.com/chamilo/chamilo-lms/commit/bfa1eccfabb457b800618d9d115f12dc614a55df
169 1 Yannick Warnier
170 68 Yannick Warnier
These security patches will be part of version 1.11.10 and versions 2.0 and up.
171 66 Yannick Warnier
172
h3. Issue '#32" - 2018-11-28 - Low risk - More XSS and path disclosure issues
173
174
Chamilo LMS version 1.11.8 contains two XSS vulnerabilities, one in the gradebook dependencies tool and one in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. Also, some paths disclosure appeared in the case of a platform configured as "test" platform and showing PHP notice and warning messages on screen (which is not recommended).
175
176
We thank Pierre Pailleux for reporting the issues to us.
177
178
* Fix for 1.11.x
179
** https://github.com/chamilo/chamilo-lms/commit/5e61c2b0fcc938ca687b8d4e593b1500aa52a034
180
** https://github.com/chamilo/chamilo-lms/commit/da8a93eea4b438e9d0433b7cb989d3ecafbaf65e
181
** https://github.com/chamilo/chamilo-lms/commit/15e49c1737b27f78aca7f948c6634c68753e51cf
182 1 Yannick Warnier
** https://github.com/chamilo/chamilo-lms/commit/814049e5bd5317d761dda0ebbbc519cb2a64ab6c
183 66 Yannick Warnier
184 68 Yannick Warnier
These security patches will be part of version 1.11.10 and versions 2.0 and up.
185 63 Yannick Warnier
186
h3. Issue '#31' - 2018-11-18 - Moderate risk - SQLi, Reflected and Stored XSS vulnerabilities
187
188
Chamilo LMS version 1.11.8 contains several vulnerabilities of different levels of risk and criticality.
189
190
Two SQL injection issues require admin access, so although very high-damage vulnerabilities, we lowered the risk because they require very specific access to administration pages.
191
Several reflexted XSS vulnerabilities have been reported in a mix of admin and public pages, so we raised the risk to moderate.
192 65 Yannick Warnier
One stored XSS vulnerability was found on a course description page that requires user access to the specific course (low risk).
193 63 Yannick Warnier
194
We thank Zekvan Arslan and the "Netsparker Web Application Security Scanner":https://www.netsparker.com team for their work finding and reporting these issues. A first advisory was sent to the wrong e-mail in July but we only caught it in November. A special thank to the Netsparker team for finding the right channels and being persistent on that one. We couldn't have made this safe report without you.
195
196 1 Yannick Warnier
* Fix for 1.11.x
197 63 Yannick Warnier
** https://github.com/chamilo/chamilo-lms/commit/d13365c19486d0783426a8c5315310a406d5be01
198
199 68 Yannick Warnier
This security patch will be part of version 1.11.10 and versions 2.0 and up.
200 63 Yannick Warnier
201 1 Yannick Warnier
h3. Issue '#30" - 2018-11-13 - Low risk - More XSS in agenda
202 66 Yannick Warnier
203 63 Yannick Warnier
Chamilo LMS version 1.11.8 contains an additional series of XSS vulnerabilities in the agenda tool, allowing authenticated users to affect other users (sharing the same agenda events). This is considered "low risk" because, due to the nature of the feature it exploits, it is either necessary to be a teacher in a course or to be a student that was explicitly allowed by a teacher to edit agenda events. As such, the existence of the issue would only (in theory) affect open platforms or platforms with malicious (and security-skilled) teachers.
204
205
We thank Pierre Pailleux for reporting the issues to us.
206
207 1 Yannick Warnier
* Fix for 1.11.x
208 63 Yannick Warnier
** https://github.com/chamilo/chamilo-lms/commit/099ec4117ed4aa6bd966f1928718fe69a0773723
209
** https://github.com/chamilo/chamilo-lms/commit/d9c37bf1f3e43b67b4f5b54938af2c45a51db309
210
211 68 Yannick Warnier
These security patches will be part of version 1.11.10 and versions 2.0 and up.
212 61 Yannick Warnier
213
h3. Issue '#29' - 2018-10-06 - Moderate risk - XSS on registration page
214
215
Chamilo LMS version 1.11.8 contains an XSS vulnerability in the user registration form.
216
This represents a "moderate" risk because it is only available to open portals (Chamilo portals that allow registration by anyone). However, on these portals, it might have serious implications for administrators checking the users list on the administration page. As such, we urge all admins or open portals to update their Chamilo 1.11.8 portals with the patch provided below (a one-liner easily applied by hand).
217
218
See https://packetstormsecurity.com/files/149711/chamilolms1118fn-xss.txt
219
220
While we thank the author ("Cakes") for reporting this issue, we disapprove of the immediate publication. Our politic is to provide a patch under 72h of being notified, as far as humanly possible. We received no notification before this went public. Contact details are available in the first section of this page.
221
Also, while reporting it in "white hat" mode, "Cakes" also tested it on a live public portal, which is not really what we would expect where the report indicates it was tested on a different IP address.
222
Despite these 2 latest detected vulnerabilities, we believe (based on security reports of competitors) Chamilo remains the safest LMS around.
223
224 1 Yannick Warnier
Initially published by "Cakes".
225 61 Yannick Warnier
226
* Fix for 1.11.x
227
** https://github.com/chamilo/chamilo-lms/commit/a248539a5d9af7d4c261faa5adfc7f0394e9fd48
228
229 68 Yannick Warnier
This security patch will be part of version 1.11.10 and versions 2.0 and up.
230 61 Yannick Warnier
231
232
h3. Issue '#28' - 2018-10-05 - Low risk - XSS in agenda
233
234
Chamilo LMS version 1.11.8 contains an XSS vulnerability in the agenda tool, allowing authenticated users to affect other users (sharing the same agenda events). This is considered "low risk" because, due to the nature of the feature it exploits, it is either necessary to be a teacher in a course or to be a student that was explicitly allowed by a teacher to edit agenda events. As such, the existence of the issue would only (in theory) affect open platforms or platforms with malicious (and security-skilled) teachers.
235
236
See details here: https://packetstormsecurity.com/files/149679/chamilolms1118-xss.txt
237
238
While we thank the author ("Cakes") for reporting this issue, we disapprove of the immediate publication. Our politic is to provide a patch under 72h of being notified, as far as humanly possible. We received no notification before this went public. Contact details are available in the first section of this page.
239 1 Yannick Warnier
240 61 Yannick Warnier
Initially reported by "Cakes".
241
242
* Fix for 1.11.x
243
** https://github.com/chamilo/chamilo-lms/commit/39b3162698455246dbfe791b2f9415c629f52120
244
245 68 Yannick Warnier
This security patch will be part of version 1.11.10 and versions 2.0 and up.
246 61 Yannick Warnier
247 59 Yannick Warnier
h3. Issue '#27' - 2018-08-06 - Moderate risk - Unauthenticated remote code execution
248 1 Yannick Warnier
249 61 Yannick Warnier
Chamilo LMS version 1.11.x contains an unserialization vulnerability in a POST parameter that can result in Unauthenticated remote code execution. This attack is only exploitable by users with access to the course maintenance tool (teachers and admins), reason for which we reduced the risk to Moderate.
250 59 Yannick Warnier
251
This affects versions 1.11 of Chamilo only.
252
253
Initially reported by e-mail by a contact self-called "shuimugan".
254
255
* Fix for 1.11.x
256
** https://github.com/chamilo/chamilo-lms/commit/ecb18907a7fec22402411aa873382a4bd06cb07d
257
258
This security patches will be made available as part of Chamilo 1.11.8 and superior.
259
260 58 Yannick Warnier
h3. Issue '#26' - 2018-07-23 - Critical risk - Unauthenticated remote code execution
261
262 60 Yannick Warnier
Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62. CVE-2018-1999019 has been assigned to this issue.
263 58 Yannick Warnier
264
This affects versions 1.11 of Chamilo only.
265
266
Initially reported by Indiana Moreau on https://github.com/chamilo/chamilo-lms/issues/2532
267
268
* For 1.11.x
269
** https://github.com/chamilo/chamilo-lms/commit/0de84700648f098c1fbf6b807dee28ec640efe62
270
271
This security patches will be made available as part of Chamilo 1.11.8 and superior.
272
273 57 Yannick Warnier
h3. Issue '#25' - 2018-05-31 - Moderate risk - Data leak
274
275
A flaw in the logic of the "Who is online" page made it possible for unauthenticated users to get a list of names and pictures of the users currently online on the Chamilo portal. We consider it a moderate risk as it is available to the public but only through using specific URLs not directly visible to the public, and because it only makes names and pictures available (no other private information) and only for users connected now or in the past few minutes.
276
277
This affects versions 1.11 of Chamilo and possibly previous versions.
278
279
This was kindly mentioned by Jurjen de Jonge of HVA.nl on 23/5/2018 but only received by us (due to e-mail issues on our side) on the 31/5/2018. A fix was provided a few hours after finally receiving the report. The fix removes the information if the option "see connected users from the portal homepage" has been disabled. By default, this option is enabled in Chamilo, so for security reasons, we recommend admins to disable it when installing their portal.
280
281
* For 1.11.x
282
** https://github.com/chamilo/chamilo-lms/commit/d400657bfa7ca08ca7a26abb73f607244cc48e73
283
284
No fix was provided for 1.10.x at this point as we consider this security issue a moderate risk.
285 1 Yannick Warnier
286 58 Yannick Warnier
This security patches will be made available as part of Chamilo 1.11.8 and superior.
287 57 Yannick Warnier
288 56 Yannick Warnier
h3. Issue '#24' - 2018-04-09 - Low risk - Data leak
289
290
A flaw in the logic of the assignments tool in Chamilo made it possible for *registered users* to access the assignments provided by all other users in the same course.
291
292
This affects versions 1.11 of Chamilo (and probably previous versions), *but* you need a user account, to have access to a course and that the assignments tool be enabled in order to abuse this flaw. If all these conditions are combined, you could effectively download assignments from all other students even if you configured that assignments are not shared.
293
294
This was kindly reported by Jan Derriks of HVA.nl on the 9/4/2018. A fix for 1.11 was provided 40 minutes later. 
295
296
* For 1.11.x
297
** https://github.com/chamilo/chamilo-lms/commit/00f3e4a6506035674a58ccdf4ebe098bd6f607e3
298
299
No fix was provided for 1.10.x at this point as we consider this security issue a low risk.
300
301
These security patches will be made available as part of Chamilo 1.11.8 and superior.
302
303 55 Yannick Warnier
h3. Issue '#23' - 2017-02-09 - Moderate risk - PHP File Upload
304
305
A flaw in the elfinder extension to CKeditor in Chamilo was reported to us by Sandro "guly" Zaccarini.
306
307
This affects versions 1.10 and 1.11 of Chamilo, *but* you need a user account, that the social network be enabled *and* a special script to hack the upload method. This is why, although a PHP file upload issue would usually be marked as "High" or "Very high" risk, this has been lowered to "Moderate" risk.
308
309
We have made patches available to development versions of both 1.10 and 1.11:
310
311
* For 1.10.x
312
** https://github.com/chamilo/chamilo-lms/commit/501d19fed7773c7f5749cfa8d97cc8c7441fc7b1
313
* For 1.11.x
314
** https://github.com/chamilo/chamilo-lms/commit/337c3e6d254a2eae161f6e1405b8ab2fc01ef35f
315
** https://github.com/chamilo/chamilo-lms/commit/ac8a66b240bcf92a9e83ec2f4c7e829747269a00
316
317
These security patches will be made available as part of Chamilo 1.11.4.
318
319 53 Yannick Warnier
h3. Issue '#22' - 2016-12-26 - Moderate risk - PHPMailer shell escaping flaw
320
321 54 Julio Montoya
A flaw in the PHPMailer library, used in Chamilo LMS <=1.* was reported to us by Peter Bex of more-magic.net, and initially identified by Hanno Böck.
322 1 Yannick Warnier
323 54 Julio Montoya
Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy: 
324
325
* For 1.9.x
326
** https://github.com/chamilo/chamilo-lms/commit/816a809da5446866fbb4b2101898027ec328e9b9
327
* For 1.10.x
328
**  https://github.com/chamilo/chamilo-lms/commit/ea335267dd96e6a3ea2bec53022c86115f55fe32
329
* For 1.11.x
330
** https://github.com/chamilo/chamilo-lms/commit/069845f08759cce4aa3693235e8d0a9a131ca35b
331
332 53 Yannick Warnier
333 50 Yannick Warnier
h3. Issue '#21' - 2016-07-15 - Moderate risk - User Input Sanitation 
334
335 51 Yannick Warnier
A series of user input data were reported as unsanitized in 1.10.6. This was reported by Echelon team (npo-echelon.ru) and  automatically detected by static code analyzer "AppChecker":https://cnpo.ru/en/solutions/appchecker.php. As far as we could check, these require course access and, as such, will not affect non-public courses. You either have to have an open-access platform or an open course inside your platform to be affected.
336 50 Yannick Warnier
337
Fixes for these vulnerabilities can be found here: https://github.com/chamilo/chamilo-lms/commit/52ef413e2719be2da521beb83a476d91468ef5e7
338
We have added additional filtering as well, available here: https://github.com/chamilo/chamilo-lms/commit/2a47c02329fb8dee04a6b6425c9ee7601c6f32e2
339
340
These fixes have been included in Chamilo 1.10.8 and all future versions.
341 49 Yannick Warnier
342
h3. Issue '#20' - 2016-02-15 - Moderate risk - (messageId) 
343
344
A rogue (not reported through official canals and include a public exploit) security issue was reported on 17/02/2016 by Lawrence Amer about being able to hijack another person's session through the handling of a crafted work in the assignments tool. This requires low-permissions access (student in a course) but could allow a student to hijack a teacher or admin's session.
345
346
Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:
347
* For 1.9.x
348
** https://github.com/chamilo/chamilo-lms/commit/d24f81b60e0a788a1dea4272ebe4a342f8874623
349
* For 1.10.x
350
** https://github.com/chamilo/chamilo-lms/commit/c3b9a10e7c9ad04e1cc3437848a99867cb5067ad
351
352 48 Yannick Warnier
h3. Issue '#19' - 2016-02-15 - Moderate risk - (messageId) Delete Post Vulnerability
353
354
A rogue (not reported through official canals and include a public procedure on how to exploit) security issue was reported on 15/02/2016 by Lawrence Amer about accessing other people's messages in the Chamilo social network, and giving the ability to delete the others' messages. Given the fact that messages are also sent by e-mail, we do not consider the deletion of other people's messages a high risk. However, accessing the messages themselves can be considered a high private information access vulnerability.
355
356
Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:
357
* For 1.9.x
358
** https://github.com/chamilo/chamilo-lms/commit/9b9de176d3651f5a9a59fd3ae0bf63a098392027
359
* For 1.10.x
360
** https://github.com/chamilo/chamilo-lms/commit/e45079df7a1bf31bbcdd9b1d22d8c23cf76fd1db
361
362 46 Yannick Warnier
h3. Issue '#18' - 2015-05-02 - Low-Moderate risk - URL hijacking/spoofing
363
364
A URL spoofing vulnerability has been reported by Luis Eduardo Jácome V. in Chamilo LMS 1.9.10.2 and all previous versions, allowing malintentionned crackers to modify an URL like:
365
* http://chamilo.org/main/link/link_goto.php?[...]&link_url=[original-redirect-url]
366
to
367
* http://chamilo.org/main/link/link_goto.php?[...]&link_url=[malign-redirect-url]
368
369
Because the change is clearly visible in the URL, we don't consider this vulnerability to represent a high risk to the user, but we still consider this a valid vulnerability, which is why we have provided the following fix, that you can freely apply to your 1.9.* installation. These changes will effectively ignore the link_url parameter and only take into account the link_id which is stored in the database, making it impossible to hack through the same channel. Very complicated circumstances prevented us from publishing the fix on this page in a timely manner, but the commits were sent several days ago already.
370
371
https://github.com/chamilo/chamilo-lms/commit/aa052c08b9f4bbde686572c66dc0301ac7a480b8
372
https://github.com/chamilo/chamilo-lms/commit/23f2e7520be2c0c9e77e58d508023f39afb82f6c
373
https://github.com/chamilo/chamilo-lms/commit/aeac10a06115a810bd630f04d55f452c51be35d5
374
https://github.com/chamilo/chamilo-lms/commit/84bba539d632957447832a01cf2e2c4035ed6dbf
375
376
Or, in more details:
377
<pre>
378
diff --git a/main/inc/lib/link.lib.php b/main/inc/lib/link.lib.php
379
index 875f048..eb3b156 100755
380
--- a/main/inc/lib/link.lib.php
381
+++ b/main/inc/lib/link.lib.php
382
@@ -103,6 +103,28 @@ class Link extends Model
383
384
         return false;
385
     }
386
+    
387
+    /**
388
+    *
389
+    * Get link info
390
+    * @param int link id
391
+    * @return array link info
392
+    *
393
+    **/
394
+    public static function get_link_info($id)
395
+    {
396
+        $tbl_link = Database:: get_course_table(TABLE_LINK);
397
+        $course_id = api_get_course_int_id();
398
+        $sql = "SELECT * FROM " . $tbl_link . "
399
+                WHERE c_id = $course_id AND id='" . intval($id) . "' ";
400
+        $result = Database::query($sql);
401
+        $data = array();
402
+        if (Database::num_rows($result)) {
403
+            $data = Database::fetch_array($result);
404
+        }
405
+        
406
+        return $data;
407
+    }
408
 }
409
410
 /**
411
diff --git a/main/link/link_goto.php b/main/link/link_goto.php
412
index 75163bb..101967f 100755
413
--- a/main/link/link_goto.php
414
+++ b/main/link/link_goto.php
415
@@ -21,16 +21,20 @@
416
 require_once '../inc/global.inc.php';
417
 $this_section = SECTION_COURSES;
418
419
-$link_url = html_entity_decode(Security::remove_XSS($_GET['link_url']));
420
-$link_id = intval($_GET['link_id']);
421
+require_once api_get_path(LIBRARY_PATH).'link.lib.php';
422
423
+$this_section = SECTION_COURSES;
424
+
425
+$linkId = intval($_GET['link_id']);
426
+
427
+$linkInfo = Link::get_link_info($linkId);
428
+$linkUrl = html_entity_decode(Security::remove_XSS($linkInfo['url']));
429
 // Launch event
430
-event_link($link_id);
431
+event_link($linkId);
432
433
 header("Cache-Control: no-store, no-cache, must-revalidate");   // HTTP/1.1
434
 header("Cache-Control: post-check=0, pre-check=0", false);
435
 header("Pragma: no-cache");                                     // HTTP/1.0
436
-header("Location: $link_url");
437
-
438
-// To be sure that the script stops running after the redirection
439
+header("Location: $linkUrl");
440
 exit;
441
</pre>
442
443
The fix has already been applied in prevision of version 1.10.0 and future versions.
444
445 44 Yannick Warnier
h3. Issue '#17' - 2015-03-19 - Moderate risk - XSS & CSRF vulnerabilies
446
447
A series of XSS and CSRF vulnerabilities were reported on the 2/3/2015 by Rehan Ahmed. After careful consideration and a fruitful exchange, we released different patches (find them individually in the Chamilo changelog for 1.9.10.2) that cover these vulnerabilities.
448
449 45 Yannick Warnier
In the official report, the author mentions the patch release to be 1.9.11. However, our bugfix releases policy enforces the use of the 1.9.10.2 number for this release. As of this writing, 1.9.11 does not (and will not) exist, it is a misnaming of 1.9.10.2.
450
451 44 Yannick Warnier
This is considered a moderate risk because most of these require to be an authenticated user in order to exploit them. On privately-managed portals, this is usually not an issue, but on open campuses, it is.
452
453
Initial report: received by e-mail on 2/3/2015
454
Proper report: #7564
455
Fix: The fix is to upgrade to Chamilo LMS 1.9.10.2, released today. The changelog contains the individual commits required to fix the vulnerabilities manually.
456
Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS 
457
458
If you are using *any* 1.9.x version of Chamilo, 1.9.10.2 is a minor version, so upgrading is *only* a matter of overwriting the current Chamilo code (removing the home/ directory in the *new* version package is recommended before you overwrite, in case you have a customized homepage).
459
460
If you require assistance applying those fixes, Chamilo Official Providers are trained to help you out in a professional manner.
461
462 40 Yannick Warnier
h3. Issue '#16' - 2015-01-25 - High risk - SQL injection vulnerability in several queries
463
464
A series of security issues have been reported on the 9/12/2014 by Kacper Szurek. Because these vulnerabilities potentially affected numerous parts of the code, we took some time to finish a complete review of Chamilo and decided to publish the fix as part of Chamilo LMS 1.9.10.
465
466
This is considered high-risk because we could not measure precisely the impact it might have had, but we urge all our users to upgrade to Chamilo LMS 1.9.10 as soon as possible to avoid any problematic incidence.
467
468
Initial report: received by e-mail on 9/12/2014
469
Proper report: #7440
470
Fix: The fix is to upgrade to Chamilo LMS 1.9.10, released today. A standalone patch cannot be easily provided because it is too likely to break other parts of the code.
471
Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS
472
473
If you are using *any* 1.9.x version of Chamilo, 1.9.10 is a minor version, so upgrading is *only* a matter of overwriting the current Chamilo code (removing the home/ directory in the *new* version package is recommended before you overwrite, in case you have a customized homepage).
474
475 42 Yannick Warnier
If you would like to apply a patch manually (and although we *don't* have a complete and secure patch at the moment), you can use the 3 main changes that were applied to fix it. This might not be an exhaustive list and, as always, Chamilo or BeezNest are not responsible for what might happen to your platform (see the GNU/GPLv3 license for details):
476
* https://github.com/chamilo/chamilo-lms/commit/3463b0465f60e07ae03d41c6bd9fd8a8d030de4d
477
* https://github.com/chamilo/chamilo-lms/commit/e01f044d58a7698b44fdda3a73c83eb8181a4910
478
* https://github.com/chamilo/chamilo-lms/commit/28baec78d282baec9aaa2c85f4736921375c3f6a
479
480 37 Yannick Warnier
h3. Issue '#15' - 2014-08-25 - Moderate-high risk - SQL injection in mySpace/users.php
481
482
A security issue has been reported by NeoSys on our forum, which allows a person with access to a course's users tool to pass a specially-crafted "status" parameter to get more results than expected, and potentially access (and modify) other parts of the database.
483
484 38 Yannick Warnier
This is considered moderate-high because it is limited to users having access to it, but because it as possibly high impact.
485 37 Yannick Warnier
486
Initial report: http://www.chamilo.org/phpBB3/viewtopic.php?f=15&t=5443&p=23969#p23969
487
Proper report: #7242
488 1 Yannick Warnier
Fix: (very easy one-liner) https://github.com/chamilo/chamilo-lms/commit/8a75f654066e4ff74567e5b427230117667325d1
489 38 Yannick Warnier
Affected versions: this doesn't *seem* to affect versions of Chamilo LMS previous to 1.9.8.0, as this code was introduced recently, but please make sure you check your own installation to avoid any uncomfortable situation.
490 37 Yannick Warnier
This patch will be included in release 1.9.8.3.
491
492
h3. Issue '#14' - 2014-06-18 - Moderate risk - XSS vulnerability in online editor
493 1 Yannick Warnier
494 39 Yannick Warnier
A security issue has been published for FCKeditor very shortly after the release of Chamilo LMS 1.9.8. Considering we are including a vulnerable version of FCKeditor in our software, we cannot leave this issue unattended, and as such we are releasing Chamilo LMS 1.9.8.1, a patch version for 1.9.8, with just one file patched. See https://github.com/chamilo/chamilo-lms/commit/2b6686e620407ab8d4ceb8951de4ce978917fc93 for more details or if you want to apply the patch manually. This covers CVE-2014-4037.
495 36 Yannick Warnier
496
Considering the relatively short period of time between the release of 1.9.8 and 1.9.8.1, we will still release 1.9.8.1 under the "commercial" name of 1.9.8, and will *link* all previous 1.9.8 links to the new 1.9.8.1 package. The changelog has been updated.
497
Considering you will be updating to 1.9.8.1 anyway, you'll notice that we've added a few (around 5) minor (mostly visual) issues that we caught just after the release of 1.9.8. So you kill 2 birds with one stone.
498
499
As always, being a minor version, you can just overwrite your previous installation with the files from this new package.
500
501 35 Yannick Warnier
h3. Issue '#13' - 2014-05-06 - Moderate risk - XSS vulnerability in user profile fields
502
503
Javier Bloem, independent white hat hacker from Venezuela, reported multiple possible attack vectors in description fields of Chamilo. Although these attacks require at minimum an access as a registered user to the portal, they do represent a vulnerability for those portals that are accepting open registration.
504
505
Patches have been commited to Github as commits:
506
* https://github.com/chamilo/chamilo-lms/commit/94706d7f99f7cb563c2a4f201c016caf7589fce1
507
* https://github.com/chamilo/chamilo-lms/commit/dd9bcd64fee588637914eec529cb489a8e89f2df
508
* https://github.com/chamilo/chamilo-lms/commit/a22589a9b909b32c89fe532d07b621d84b77fb34
509
510
Please update your portal(s) if you are in this case.
511
The fix is available in Chamilo 1.9.8 starting from Beta 1.
512
513 32 Yannick Warnier
h3. Issue '#12' - 2014-03-05 - High risk - File injection through FCKEditor
514
515 33 Noa Orizales Iglesias
Eric Marguin, from agence-codecouleurs.fr, reported an attack related to flaw #11, confirming it at the same time, whereby a skilled attacker injected a php file through an unprotected entry point in our implementation of FCKEditor.
516 32 Yannick Warnier
517
Affected versions: 1.8.*, 1.9.*
518
519 34 Julio Montoya
To fix, please update files:
520
521
<pre>
522
main/inc/lib/fckeditor/editor/plugins/ImageManager/config.inc.php 
523
main/inc/lib/fckeditor/editor/plugins/MP3/fck_mp3.php
524
</pre>
525
526
by adding the following line after the global.inc.php call.
527
528 32 Yannick Warnier
<pre>
529
api_block_anonymous_users();
530
</pre>
531
532
Note that this issue, together with issue #11, are fixed from 1.9.8 onwards.
533
534
h3. Issue '#11' - 2013-12-09 - High risk - File injection through FCKEditor - CONFIRMED
535 30 Yannick Warnier
536
Stijn Michels, one of Chamilo LMS users, reportes in #6860, that he has been attacked through a likely flaw in one of FCKEditor's plugins used in Chamilo LMS, through the fact that it is not checking identification from the user before uploading a file. The attack could not be reproduced. However, we think that preventive correction is important, and we have worked together to publish a patch that can be applied to any 1.8 or 1.9 version of Chamilo.
537
538
Affected versions: 1.8.*, 1.9.*
539
540
To fix, please update your main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php file adding the following on line 19:
541
<pre>
542
api_block_anonymous_users();
543
</pre>
544
and main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php to add 
545
<pre>
546
// Disabling access for anonymous users.
547
api_block_anonymous_users();
548
</pre>
549
550 52 Yannick Warnier
h3. Issue '#10' - 2013-11-06 - Moderate risk - SQL Injection in specific:
551
552
(unrecommended case to add the following on lines 33 and 34)
553 25 Yannick Warnier
554
High-Tech Bridge reported an SQL-injection-type security flaw in version 1.9.6 of Chamilo LMS (which also affects previous versions).
555
This flaw *only affect* Chamilo LMS platforms which use non-encrypted passwords mode (a mode that is available as a non-default option only during Chamilo LMS's installation process and is difficult to change afterwards).
556
If non-encrypted mode is selected (voluntarily) *and* malicious users have access to the profile edition form (which requires an active registered user account on the platform), then this issue represents a very high risk for you!
557
We believe and hope that most of our platform administrators have chosen the default recommended encrypted mode on their platform, but it is important to us to cover all risks. This is why we will be issuing a fix very shortly.
558
559
As a very quick fix, you can just open main/auth/profile.php, go to line 366 (function check_user_password()) and transform the following line:
560
<pre>
561
$password = api_get_encrypted_password($password);
562
</pre>
563
into this:
564
<pre>
565
$password = Database::escape_string(api_get_encrypted_password($password));
566
</pre>
567 1 Yannick Warnier
568 26 Yannick Warnier
This vulnerability has been assigned CVE-2013-6787.
569
570
See https://www.htbridge.com/advisory/HTB23182 for the original official report.
571 25 Yannick Warnier
572 24 Yannick Warnier
h3. Issue '#9' - 2013-08-10 - Low risk - XSS in course title
573
574
Javier Bloem from Venezuela reported (through the Venezuela local group) one XSS flaw, involving the edition of a course title. This was fixed in commit https://github.com/chamilo/chamilo-lms/commit/3c770c201dbe1ce96480a3e51ff25d0b70c83514 (you can update a 1.9.* install just by using the file at https://raw.github.com/chamilo/chamilo-lms/3c770c201dbe1ce96480a3e51ff25d0b70c83514/main/course_info/infocours.php ).
575
This flaw is considered "low risk" because it is an XSS (so stealing sessions is the kind of risk you get) *and* it is only accessible if you have the permission to create and edit courses, which you only get if you're a teacher.
576
It is, however, duly considered as flaw, as the default Chamilo installation *does* allow anybody to create a new teacher user, so it does represent a security risk for all people NOT READING the many recommendations on disabling this possibility as soon as they enter production.
577
578
Download the main/course_info/infocours.php script and replace it in your 1.9 installation from here: https://raw.github.com/chamilo/chamilo-lms/3c770c201dbe1ce96480a3e51ff25d0b70c83514/main/course_info/infocours.php 
579
580 17 Yannick Warnier
h3. Issue '#8' - 2013-03-04 - Moderate risk - Several moderate security flaws
581
582 19 Yannick Warnier
Fernando Muñoz, via Secunia SVCRP., kindly reported 3 flaws through Secunia, affecting at least version 1.9.4 (and most probably all previous versions) of Chamilo LMS.
583 17 Yannick Warnier
584
In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 2 fix mechanisms that we give here by order of increasing level of required skills. We should be publishing 1.9.6 soon, which will include this fix. The patches below are provided for version 1.9.4. You can find the details of the changes here: http://code.google.com/p/chamilo/source/detail?r=c9e8a27f8cde1f04dbe69d3f52a2e34c422bd679&name=1.9.x&repo=classic
585
586 20 Julio Montoya
* Download and apply the files replacement provided here: http://support.chamilo.org/attachments/download/3997/chamilo-1.9.4-vuln-8.zip Put the file directly into the root directory of Chamilo and uncompress there.
587
* Apply the patch provided here: 
588
  For 1.9.4 http://support.chamilo.org/attachments/download/3999/chamilo-1.9.4-vuln-8.patch
589 21 Julio Montoya
  For 1.9.2 and 1.9.0 http://support.chamilo.org/attachments/download/4007/chamilo-1.9.2-vuln-8.patch
590 20 Julio Montoya
  For 1.8.8.6 http://support.chamilo.org/attachments/download/4008/chamilo-1.8.8.6-vuln-8.patch
591 22 Julio Montoya
  For 1.8.8.2 http://support.chamilo.org/attachments/download/4013/chamilo-1.8.8.2-vuln-8.patch
592 23 Julio Montoya
  For 1.8.7.1 http://support.chamilo.org/attachments/download/4014/chamilo-1.8.7.1-vuln-8.patch
593 17 Yannick Warnier
594 18 Yannick Warnier
If you require special assistance, please contact providers@chamilo.org to hire an expert, or ask for help on the forum: http://www.chamilo.org/forum
595
596 17 Yannick Warnier
h3. Issue '#7' - 2012-07-16 - Moderate risk - Several moderate security flaws
597 15 Yannick Warnier
598
Fernando Muñoz kindly reported a series of moderate security flaws in Chamilo 1.8.8.4 (most likely also affecting all previous versions), of two XSS risks and one unauthorized file deletion risk. This has been registered in private task #5202.
599 1 Yannick Warnier
600 15 Yannick Warnier
In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 3 fix mechanisms that we give here by order of increasing level of required skills:
601
602 20 Julio Montoya
* Download and apply the files replacement provided here: http://support.chamilo.org/attachments/download/2864/patch-1.8.8.6.tgz Put the file directly into the root directory of Chamilo and uncompress there.
603 16 Yannick Warnier
* Download version 1.8.8.6 and follow the normal upgrade procedure: http://code.google.com/p/chamilo/downloads/detail?name=chamilo-1.8.8.6.tar.gz&can=2&q=
604 15 Yannick Warnier
* Apply the patch provided here: http://support.chamilo.org/attachments/download/2863/chamilo-1.8.8.4-to-1.8.8.6.patch
605
606 14 Yannick Warnier
We considered the report was sufficiently serious for us to publish a new minor version of the software. Please apply using one of the three methods above AS SOON AS POSSIBLE.
607 1 Yannick Warnier
608 14 Yannick Warnier
609 17 Yannick Warnier
h3. Issue '#6" - 2011-06-15 - High risk - Several security flaws
610 14 Yannick Warnier
611
Petr Skoda (<security _at_ skodak _dot_ org>) recently reported a series of flaws in Chamilo 1.8.8.2, which have been duly reported here http://support.chamilo.org/issues/3600 and here http://support.chamilo.org/issues/3601 and fixed in prevision for a special corrective 1.8.8.4 release within a few days (probably on the 18th of June). This release will come together with a series of improvements to the code and no upgrade procedure needed.
612
Patches are already available here:
613
614 13 Julio Montoya
* http://code.google.com/p/chamilo/source/detail?r=9ab36506b7099d29c005f4d4860a600e6734c166&repo=classic
615
* http://code.google.com/p/chamilo/source/detail?r=2b9e225f1659d253a8e458dabea5b71e4b57ac9b&repo=classic
616
* http://code.google.com/p/chamilo/source/detail?r=eef0cf45ceb4da084b3c61651fefae61d4e49fe2&repo=classic
617 1 Yannick Warnier
* http://code.google.com/p/chamilo/source/detail?r=7ccba74a526d52c7831781e05ed52311439cf922&repo=classic
618 13 Julio Montoya
619
620 17 Yannick Warnier
h3. Issue '#5' - 2011-01-31 - High risk - Filesystem traversal flaw
621 13 Julio Montoya
622
Fernando Muñoz kindly reported a major security flaw in the document system, by which a user could gain access to the database on lightly-hearted configured servers. 
623
* To fix it, please replace the changes found at 
624
http://code.google.com/p/chamilo/source/browse/main/document/download.php?spec=svn.classic.3c071b2b6555552651a9617b1c92a9a983da875f&repo=classic&r=3c071b2b6555552651a9617b1c92a9a983da875f
625
and
626
http://code.google.com/p/chamilo/source/detail?r=f2254d813f3a44a0a1b1717876b3c81df72a6879&repo=classic
627
628
* To discuss, please connect to http://support.chamilo.org/issues/2722
629
630 1 Yannick Warnier
This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.org
631 13 Julio Montoya
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.
632 11 Yannick Warnier
633
634 17 Yannick Warnier
h3. Issue '#4' - 2011-01-28 - High risk - Filesystem traversal flaw
635 11 Yannick Warnier
636
Fernando Muñoz kindly reported a major security flaw in the gradebook system, by which a user could gain access to the database on lightly-hearted configured servers. 
637
* To fix it, please apply the changes found at http://code.google.com/p/chamilo/source/detail?r=b81c9c8012fa414d246a973aafddbde305c6f6f7&repo=classic
638 1 Yannick Warnier
* To discuss, please connect to http://support.chamilo.org/issues/2705
639 11 Yannick Warnier
640
This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.org
641 1 Yannick Warnier
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.
642 11 Yannick Warnier
643 17 Yannick Warnier
h3. Issue '#3' - 2010-12-09 - Low risk - Wiki and core weaknesses in specific configurations
644 11 Yannick Warnier
645
develop-it.be kindly scanned Chamilo 1.8.8 development version and found several minor issues, which we have fixed and included in 1.8.8 (to be released February 2011)
646 8 Yannick Warnier
647 17 Yannick Warnier
h3. Issue '#2' - 2010-09-29 - High risk - Course directory removal risk through tasks tool
648 4 Yannick Warnier
649 1 Yannick Warnier
At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube "on the Chamilo forum":http://www.chamilo.org/en/node/827.
650
651 5 Yannick Warnier
* Risk level: high
652 1 Yannick Warnier
* Versions affected: *1.8.6.2, 1.8.7, 1.8.7.1*
653 4 Yannick Warnier
* Triggered by: teachers and administrators (no anonymous/student access)
654 1 Yannick Warnier
* Patch: "See patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic
655
656
This security issue's risk level is considered *high* (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe)  but it provokes highly painful damages: it deletes a course directory, entirely.
657
658
This bug affects versions 1.8.6.2, 1.8.7 and 1.8.7.1.
659 4 Yannick Warnier
660 1 Yannick Warnier
At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, "developed a patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic that you can "download as a file":http://classic.chamilo.googlecode.com/hg/main/work/work.php?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d and apply to your Chamilo 1.8.7.1 portal.
661 9 Yannick Warnier
662 10 Yannick Warnier
For previous versions of Chamilo, you will have to look at the patch and apply the differences manually. Suggestions are provided below:
663
* "replacement work.php for 1.8.6.2":/attachments/download/1111/work.php.1862
664 1 Yannick Warnier
* "replacement work.php for 1.8.7":/attachments/download/1112/work.php.187
665
666
The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can  also be triggered by a double click on the delete icon for a student work.
667
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.
668 4 Yannick Warnier
669 1 Yannick Warnier
This bug was introduced "in November of 2009":http://code.google.com/p/chamilo/source/detail?r=d7ccd47395fe823bc521c9faeecb68e44d93197d&repo=classic&path=/main/work/work.php, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.
670 4 Yannick Warnier
671 1 Yannick Warnier
Using the services of an "official Chamilo provider":http://www.chamilo.org/en/providers guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
672
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!
673 2 Yannick Warnier
674 3 Yannick Warnier
Best regards,
675 2 Yannick Warnier
676 3 Yannick Warnier
Yannick Warnier
677 1 Yannick Warnier
Lead developer for Chamilo 1.8
678 7 Yannick Warnier
679 17 Yannick Warnier
h3. Issue '#1' - 2010-08-02 - Wiki issues
680 7 Yannick Warnier
681
Fixed in 1.8.7.1 package.