Project

General

Profile

Actions

Security issues » History » Revision 2

« Previous | Revision 2/80 (diff) | Next »
Yannick Warnier, 30/09/2010 18:32


Security issues

2010-09-29 - High risk - Course directory removal risk through tasks tool

At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube on the Chamilo forum1.

  • Risk level: high
  • Versions affected: 1.8.6.2, 1.8.7, 1.8.7.1
  • Triggered by: teachers and administrators (no anonymous/student access)
  • Patch: See link [2] below

This security issue's risk level is considered high (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.

This bug affects versions 1.8.6.2, 1.8.7 and 1.8.7.1.

At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, developed a patch2 that you can download as a file3 and apply to your Chamilo 1.8.7.1 portal.

For previous versions of Chamilo, you will have to look at the patch and apply the differences manually.

The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.

This bug was introduced in November of 20094, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.

Using the services of an official Chamilo provider5 guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!

Best regards,

Yannick Warnier
Lead developer for Chamilo 1.8

1 http://www.chamilo.org/en/node/827
fn2. http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic
fn3. http://classic.chamilo.googlecode.com/hg/main/work/work.php?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d
fn4. http://code.google.com/p/chamilo/source/detail?r=d7ccd47395fe823bc521c9faeecb68e44d93197d&repo=classic&path=/main/work/work.php
fn5. http://www.chamilo.org/en/providers

Updated by Yannick Warnier almost 10 years ago · 2 revisions