Security issues » History » Revision 11
- Table of contents
- Security issues
Issue '#4' - 2011-01-28 - High risk - Filesystem traversal flaw¶Peter Van den Broek kindly reported a major security flaw in the gradebook system, by which a user could gain access to the database on lightly-hearted configured servers.
- To fix it, please apply the changes found at http://code.google.com/p/chamilo/source/detail?r=b81c9c8012fa414d246a973aafddbde305c6f6f7&repo=classic
- To discuss, please connect to http://support.chamilo.org/issues/2705
This flaw is being reported to our Twitter security account and to our mailing-list firstname.lastname@example.org
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.
Issue '#3' - 2010-12-09 - Low risk - Wiki and core weaknesses in specific configurations¶
develop-it.be kindly scanned Chamilo 1.8.8 development version and found several minor issues, which we have fixed and included in 1.8.8 (to be released February 2011)
Issue '#2' - 2010-09-29 - High risk - Course directory removal risk through tasks tool¶
At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube on the Chamilo forum.
- Risk level: high
- Versions affected: 188.8.131.52, 1.8.7, 184.108.40.206
- Triggered by: teachers and administrators (no anonymous/student access)
- Patch: See patch
This security issue's risk level is considered high (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.
This bug affects versions 220.127.116.11, 1.8.7 and 18.104.22.168.
The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.
This bug was introduced in November of 2009, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.
Using the services of an official Chamilo provider guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!
Lead developer for Chamilo 1.8
Issue '#1' - 2010-08-02 - Wiki issues¶
Fixed in 22.214.171.124 package.