Security issues » History » Revision 38

« Previous | Revision 38/88 (diff) | Next »
Yannick Warnier, 26/08/2014 16:11

Security issues

Security track record

Chamilo LMS has a great track record for fixing reported security issues, working together with security actors, publishing fixes prior to the official publication of the vulnerabilities on official sites.

So far, in the history of the project (since late 2009), all vulnerabilities have been fixed less than 72h after they were reported to us, and the process of code revision by packagers before inclusion (no unchecked plugin) has always been followed, making it the most secure open source e-learning platform to date.

You can see a graphical representation of the reports and fixes here (with corresponding links to check details): (navigate and check other LMSes to compare their security track record).

If you consider using another LMS, please (for your own sake) check its security track (sometimes, months can pass before fixes are provided publicly, like here

Security flaws reporting procedure

If you have found a new security flaw in Chamilo, please send us an e-mail at and , including "Chamilo Vulnerability" in your topic line. We will respond quickly to these (usually within 24h), so if you don't receive an answer, please consider it might not have been received and send it again.
In the worst case, open an issue in this issues tracking system to call for our attention, but please do not publish the flaw until a patch has been developed.

Security flaws fixing procedure

Security matters to us. A lot. So when we receive a security flaw report, we will treat it very quickly (usually in a matter of 1 to 4 days).
Our procedure is as follows:
  1. we will report these issues in a private part of this issue tracker
  2. one of us (developers) will be put in charge of providing a patch
  3. the developer will publish the patch in our source code repository (that's the first publication)
  4. if relevant credits information has been sent to us, we will add this information to the code and the commit message to

Security flaws publication procedure

  1. we will then prepare (and publish below) a full report and the corresponding patch to secure your platform. We will also provide the patch in the form of a zip to unzip into your Chamilo directory for the latest stable version
  2. if you don't use the latest version, you will have to upgrade first or apply the patch by yourself in your version
  3. we will send an e-mail to and through our @chamilosecurity Twitter account
  4. if the security flaw has been passed to a security reporting authority, we will send them an e-mail

Reported flaws

Issue '#15' - 2014-08-25 - Moderate-high risk - SQL injection in mySpace/users.php

A security issue has been reported by NeoSys on our forum, which allows a person with access to a course's users tool to pass a specially-crafted "status" parameter to get more results than expected, and potentially access (and modify) other parts of the database.

This is considered moderate-high because it is limited to users having access to it, but because it as possibly high impact.

Initial report:
Proper report: #7242
Fix: (very easy one-liner)
Affected versions: this doesn't seem to affect versions of Chamilo LMS previous to, as this code was introduced recently, but please make sure you check your own installation to avoid any uncomfortable situation.
This patch will be included in release

Issue '#14' - 2014-06-18 - Moderate risk - XSS vulnerability in online editor

A security issue has been published for FCKeditor very shortly after the release of Chamilo LMS 1.9.8. Considering we are including a vulnerable version of FCKeditor in our software, we cannot leave this issue unattended, and as such we are releasing Chamilo LMS, a patch version for 1.9.8, with just one file patched. See for more details or if you want to apply the patch manually.

Considering the relatively short period of time between the release of 1.9.8 and, we will still release under the "commercial" name of 1.9.8, and will link all previous 1.9.8 links to the new package. The changelog has been updated.
Considering you will be updating to anyway, you'll notice that we've added a few (around 5) minor (mostly visual) issues that we caught just after the release of 1.9.8. So you kill 2 birds with one stone.

As always, being a minor version, you can just overwrite your previous installation with the files from this new package.

Issue '#13' - 2014-05-06 - Moderate risk - XSS vulnerability in user profile fields

Javier Bloem, independent white hat hacker from Venezuela, reported multiple possible attack vectors in description fields of Chamilo. Although these attacks require at minimum an access as a registered user to the portal, they do represent a vulnerability for those portals that are accepting open registration.

Patches have been commited to Github as commits:

Please update your portal(s) if you are in this case.
The fix is available in Chamilo 1.9.8 starting from Beta 1.

Issue '#12' - 2014-03-05 - High risk - File injection through FCKEditor

Eric Marguin, from, reported an attack related to flaw #11, confirming it at the same time, whereby a skilled attacker injected a php file through an unprotected entry point in our implementation of FCKEditor.

Affected versions: 1.8.*, 1.9.*

To fix, please update files:


by adding the following line after the call.


Note that this issue, together with issue #11, are fixed from 1.9.8 onwards.

Issue '#11' - 2013-12-09 - High risk - File injection through FCKEditor - CONFIRMED

Stijn Michels, one of Chamilo LMS users, reportes in #6860, that he has been attacked through a likely flaw in one of FCKEditor's plugins used in Chamilo LMS, through the fact that it is not checking identification from the user before uploading a file. The attack could not be reproduced. However, we think that preventive correction is important, and we have worked together to publish a patch that can be applied to any 1.8 or 1.9 version of Chamilo.

Affected versions: 1.8.*, 1.9.*

To fix, please update your main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php file adding the following on line 19:


and main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php to add
// Disabling access for anonymous users.

Issue '#10' - 2013-11-06 - Moderate risk - SQL Injection in specific, unrecommended case to add the following on lines 33 and 34:

High-Tech Bridge reported an SQL-injection-type security flaw in version 1.9.6 of Chamilo LMS (which also affects previous versions).
This flaw only affect Chamilo LMS platforms which use non-encrypted passwords mode (a mode that is available as a non-default option only during Chamilo LMS's installation process and is difficult to change afterwards).
If non-encrypted mode is selected (voluntarily) and malicious users have access to the profile edition form (which requires an active registered user account on the platform), then this issue represents a very high risk for you!
We believe and hope that most of our platform administrators have chosen the default recommended encrypted mode on their platform, but it is important to us to cover all risks. This is why we will be issuing a fix very shortly.

As a very quick fix, you can just open main/auth/profile.php, go to line 366 (function check_user_password()) and transform the following line:

$password = api_get_encrypted_password($password);

into this:
$password = Database::escape_string(api_get_encrypted_password($password));

This vulnerability has been assigned CVE-2013-6787.

See for the original official report.

Issue '#9' - 2013-08-10 - Low risk - XSS in course title

Javier Bloem from Venezuela reported (through the Venezuela local group) one XSS flaw, involving the edition of a course title. This was fixed in commit (you can update a 1.9.* install just by using the file at ).
This flaw is considered "low risk" because it is an XSS (so stealing sessions is the kind of risk you get) and it is only accessible if you have the permission to create and edit courses, which you only get if you're a teacher.
It is, however, duly considered as flaw, as the default Chamilo installation does allow anybody to create a new teacher user, so it does represent a security risk for all people NOT READING the many recommendations on disabling this possibility as soon as they enter production.

Download the main/course_info/infocours.php script and replace it in your 1.9 installation from here:

Issue '#8' - 2013-03-04 - Moderate risk - Several moderate security flaws

Fernando Muñoz, via Secunia SVCRP., kindly reported 3 flaws through Secunia, affecting at least version 1.9.4 (and most probably all previous versions) of Chamilo LMS.

In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 2 fix mechanisms that we give here by order of increasing level of required skills. We should be publishing 1.9.6 soon, which will include this fix. The patches below are provided for version 1.9.4. You can find the details of the changes here:

If you require special assistance, please contact to hire an expert, or ask for help on the forum:

Issue '#7' - 2012-07-16 - Moderate risk - Several moderate security flaws

Fernando Muñoz kindly reported a series of moderate security flaws in Chamilo (most likely also affecting all previous versions), of two XSS risks and one unauthorized file deletion risk. This has been registered in private task #5202.

In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 3 fix mechanisms that we give here by order of increasing level of required skills:

We considered the report was sufficiently serious for us to publish a new minor version of the software. Please apply using one of the three methods above AS SOON AS POSSIBLE.

Issue '#6" - 2011-06-15 - High risk - Several security flaws

Petr Skoda (<security at skodak dot org>) recently reported a series of flaws in Chamilo, which have been duly reported here and here and fixed in prevision for a special corrective release within a few days (probably on the 18th of June). This release will come together with a series of improvements to the code and no upgrade procedure needed.
Patches are already available here:

Issue '#5' - 2011-01-31 - High risk - Filesystem traversal flaw

Fernando Muñoz kindly reported a major security flaw in the document system, by which a user could gain access to the database on lightly-hearted configured servers.

This flaw is being reported to our Twitter security account and to our mailing-list
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.

Issue '#4' - 2011-01-28 - High risk - Filesystem traversal flaw

Fernando Muñoz kindly reported a major security flaw in the gradebook system, by which a user could gain access to the database on lightly-hearted configured servers.

This flaw is being reported to our Twitter security account and to our mailing-list
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.

Issue '#3' - 2010-12-09 - Low risk - Wiki and core weaknesses in specific configurations kindly scanned Chamilo 1.8.8 development version and found several minor issues, which we have fixed and included in 1.8.8 (to be released February 2011)

Issue '#2' - 2010-09-29 - High risk - Course directory removal risk through tasks tool

At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube on the Chamilo forum.

  • Risk level: high
  • Versions affected:, 1.8.7,
  • Triggered by: teachers and administrators (no anonymous/student access)
  • Patch: See patch

This security issue's risk level is considered high (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.

This bug affects versions, 1.8.7 and

At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, developed a patch that you can download as a file and apply to your Chamilo portal.

For previous versions of Chamilo, you will have to look at the patch and apply the differences manually. Suggestions are provided below:

The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.

This bug was introduced in November of 2009, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.

Using the services of an official Chamilo provider guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!

Best regards,

Yannick Warnier
Lead developer for Chamilo 1.8

Issue '#1' - 2010-08-02 - Wiki issues

Fixed in package.

Updated by Yannick Warnier over 6 years ago · 38 revisions