Project

General

Profile

Security issues » History » Version 53

Yannick Warnier, 26/12/2016 19:16

1 1 Yannick Warnier
h1. Security issues
2
3 6 Yannick Warnier
{{>toc}}
4
5 26 Yannick Warnier
h2. Security track record
6
7
Chamilo LMS has a great track record for fixing reported security issues, working together with security actors, publishing fixes prior to the official publication of the vulnerabilities on official sites. 
8
9 41 Yannick Warnier
So far, in the history of the project (since late 2009), all (but one) vulnerabilities have been fixed less than 72h after they were reported to us, and the process of code revision by packagers before inclusion (no unchecked plugin) has always been followed, making it *the most secure open source e-learning platform* to date.
10 26 Yannick Warnier
11 1 Yannick Warnier
You can see a graphical representation of the reports and fixes here (with corresponding links to check details): http://www.cvedetails.com/product/26528/Chamilo-Chamilo-Lms.html?vendor_id=12983 (navigate and check other LMSes to compare their security track record).
12 31 Yannick Warnier
13
If you consider using another LMS, please (for your own sake) check its security track (sometimes, months can pass before fixes are provided publicly, like here http://securitytracker.com/id/1029437)
14 26 Yannick Warnier
15 47 Yannick Warnier
Check [[Secure_development_policy]] for more info.
16 26 Yannick Warnier
17 17 Yannick Warnier
h2. Security flaws reporting procedure
18 1 Yannick Warnier
19 17 Yannick Warnier
If you have found a new security flaw in Chamilo, please send us an e-mail at security@chamilo.org and info@chamilo.org, including "Chamilo Vulnerability" in your topic line. We *will* respond quickly to these (usually within 24h), so if you don't receive an answer, please consider it might not have been received and send it again.
20
In the worst case, open an issue in this issues tracking system to call for our attention, but please do not publish the flaw until a patch has been developed.
21
22
h2. Security flaws fixing procedure
23
24
Security matters to us. A lot. So when we receive a security flaw report, we will treat it very quickly (usually in a matter of 1 to 4 days).
25
Our procedure is as follows:
26
# we will report these issues in a private part of this issue tracker
27
# one of us (developers) will be put in charge of providing a patch
28
# the developer will publish the patch in our source code repository (that's the first publication)
29
# if relevant credits information has been sent to us, we will add this information to the code and the commit message to 
30
31
h2. Security flaws publication procedure
32
33
# we will then prepare (and publish below) a full report and the corresponding patch to secure your platform. We will also provide the patch in the form of a zip to unzip into your Chamilo directory for the latest stable version
34
# if you don't use the latest version, you will have to upgrade first *or* apply the patch by yourself in your version
35
# we will send an e-mail to security@lists.chamilo.org and through our @chamilosecurity Twitter account
36
# if the security flaw has been passed to a security reporting authority, we will send them an e-mail
37
38
h2. Reported flaws
39
40 53 Yannick Warnier
h3. Issue '#22' - 2016-12-26 - Moderate risk - PHPMailer shell escaping flaw
41
42
A flaw in the PHPMailer library, used in Chamilo LMS <=1.9.* was reported to us by Peter Bex of more-magic.net, and initially identified by Hanno Böck.
43
44
We still don't have a patch at this time for version 1.9, but later versions seem to use a different mailing library. The recommended way to proceed for now is simply to upgrade your portal to 1.11.*
45
46 50 Yannick Warnier
h3. Issue '#21' - 2016-07-15 - Moderate risk - User Input Sanitation 
47
48 51 Yannick Warnier
A series of user input data were reported as unsanitized in 1.10.6. This was reported by Echelon team (npo-echelon.ru) and  automatically detected by static code analyzer "AppChecker":https://cnpo.ru/en/solutions/appchecker.php. As far as we could check, these require course access and, as such, will not affect non-public courses. You either have to have an open-access platform or an open course inside your platform to be affected.
49 50 Yannick Warnier
50
Fixes for these vulnerabilities can be found here: https://github.com/chamilo/chamilo-lms/commit/52ef413e2719be2da521beb83a476d91468ef5e7
51
We have added additional filtering as well, available here: https://github.com/chamilo/chamilo-lms/commit/2a47c02329fb8dee04a6b6425c9ee7601c6f32e2
52
53
These fixes have been included in Chamilo 1.10.8 and all future versions.
54 49 Yannick Warnier
55
h3. Issue '#20' - 2016-02-15 - Moderate risk - (messageId) 
56
57
A rogue (not reported through official canals and include a public exploit) security issue was reported on 17/02/2016 by Lawrence Amer about being able to hijack another person's session through the handling of a crafted work in the assignments tool. This requires low-permissions access (student in a course) but could allow a student to hijack a teacher or admin's session.
58
59
Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:
60
* For 1.9.x
61
** https://github.com/chamilo/chamilo-lms/commit/d24f81b60e0a788a1dea4272ebe4a342f8874623
62
* For 1.10.x
63
** https://github.com/chamilo/chamilo-lms/commit/c3b9a10e7c9ad04e1cc3437848a99867cb5067ad
64
65 48 Yannick Warnier
h3. Issue '#19' - 2016-02-15 - Moderate risk - (messageId) Delete Post Vulnerability
66
67
A rogue (not reported through official canals and include a public procedure on how to exploit) security issue was reported on 15/02/2016 by Lawrence Amer about accessing other people's messages in the Chamilo social network, and giving the ability to delete the others' messages. Given the fact that messages are also sent by e-mail, we do not consider the deletion of other people's messages a high risk. However, accessing the messages themselves can be considered a high private information access vulnerability.
68
69
Fixes for different versions of Chamilo are provided below, matching our max 72h response time policy:
70
* For 1.9.x
71
** https://github.com/chamilo/chamilo-lms/commit/9b9de176d3651f5a9a59fd3ae0bf63a098392027
72
* For 1.10.x
73
** https://github.com/chamilo/chamilo-lms/commit/e45079df7a1bf31bbcdd9b1d22d8c23cf76fd1db
74
75 46 Yannick Warnier
h3. Issue '#18' - 2015-05-02 - Low-Moderate risk - URL hijacking/spoofing
76
77
A URL spoofing vulnerability has been reported by Luis Eduardo Jácome V. in Chamilo LMS 1.9.10.2 and all previous versions, allowing malintentionned crackers to modify an URL like:
78
* http://chamilo.org/main/link/link_goto.php?[...]&link_url=[original-redirect-url]
79
to
80
* http://chamilo.org/main/link/link_goto.php?[...]&link_url=[malign-redirect-url]
81
82
Because the change is clearly visible in the URL, we don't consider this vulnerability to represent a high risk to the user, but we still consider this a valid vulnerability, which is why we have provided the following fix, that you can freely apply to your 1.9.* installation. These changes will effectively ignore the link_url parameter and only take into account the link_id which is stored in the database, making it impossible to hack through the same channel. Very complicated circumstances prevented us from publishing the fix on this page in a timely manner, but the commits were sent several days ago already.
83
84
https://github.com/chamilo/chamilo-lms/commit/aa052c08b9f4bbde686572c66dc0301ac7a480b8
85
https://github.com/chamilo/chamilo-lms/commit/23f2e7520be2c0c9e77e58d508023f39afb82f6c
86
https://github.com/chamilo/chamilo-lms/commit/aeac10a06115a810bd630f04d55f452c51be35d5
87
https://github.com/chamilo/chamilo-lms/commit/84bba539d632957447832a01cf2e2c4035ed6dbf
88
89
Or, in more details:
90
<pre>
91
diff --git a/main/inc/lib/link.lib.php b/main/inc/lib/link.lib.php
92
index 875f048..eb3b156 100755
93
--- a/main/inc/lib/link.lib.php
94
+++ b/main/inc/lib/link.lib.php
95
@@ -103,6 +103,28 @@ class Link extends Model
96
97
         return false;
98
     }
99
+    
100
+    /**
101
+    *
102
+    * Get link info
103
+    * @param int link id
104
+    * @return array link info
105
+    *
106
+    **/
107
+    public static function get_link_info($id)
108
+    {
109
+        $tbl_link = Database:: get_course_table(TABLE_LINK);
110
+        $course_id = api_get_course_int_id();
111
+        $sql = "SELECT * FROM " . $tbl_link . "
112
+                WHERE c_id = $course_id AND id='" . intval($id) . "' ";
113
+        $result = Database::query($sql);
114
+        $data = array();
115
+        if (Database::num_rows($result)) {
116
+            $data = Database::fetch_array($result);
117
+        }
118
+        
119
+        return $data;
120
+    }
121
 }
122
123
 /**
124
diff --git a/main/link/link_goto.php b/main/link/link_goto.php
125
index 75163bb..101967f 100755
126
--- a/main/link/link_goto.php
127
+++ b/main/link/link_goto.php
128
@@ -21,16 +21,20 @@
129
 require_once '../inc/global.inc.php';
130
 $this_section = SECTION_COURSES;
131
132
-$link_url = html_entity_decode(Security::remove_XSS($_GET['link_url']));
133
-$link_id = intval($_GET['link_id']);
134
+require_once api_get_path(LIBRARY_PATH).'link.lib.php';
135
136
+$this_section = SECTION_COURSES;
137
+
138
+$linkId = intval($_GET['link_id']);
139
+
140
+$linkInfo = Link::get_link_info($linkId);
141
+$linkUrl = html_entity_decode(Security::remove_XSS($linkInfo['url']));
142
 // Launch event
143
-event_link($link_id);
144
+event_link($linkId);
145
146
 header("Cache-Control: no-store, no-cache, must-revalidate");   // HTTP/1.1
147
 header("Cache-Control: post-check=0, pre-check=0", false);
148
 header("Pragma: no-cache");                                     // HTTP/1.0
149
-header("Location: $link_url");
150
-
151
-// To be sure that the script stops running after the redirection
152
+header("Location: $linkUrl");
153
 exit;
154
</pre>
155
156
The fix has already been applied in prevision of version 1.10.0 and future versions.
157
158 44 Yannick Warnier
h3. Issue '#17' - 2015-03-19 - Moderate risk - XSS & CSRF vulnerabilies
159
160
A series of XSS and CSRF vulnerabilities were reported on the 2/3/2015 by Rehan Ahmed. After careful consideration and a fruitful exchange, we released different patches (find them individually in the Chamilo changelog for 1.9.10.2) that cover these vulnerabilities.
161
162 45 Yannick Warnier
In the official report, the author mentions the patch release to be 1.9.11. However, our bugfix releases policy enforces the use of the 1.9.10.2 number for this release. As of this writing, 1.9.11 does not (and will not) exist, it is a misnaming of 1.9.10.2.
163
164 44 Yannick Warnier
This is considered a moderate risk because most of these require to be an authenticated user in order to exploit them. On privately-managed portals, this is usually not an issue, but on open campuses, it is.
165
166
Initial report: received by e-mail on 2/3/2015
167
Proper report: #7564
168
Fix: The fix is to upgrade to Chamilo LMS 1.9.10.2, released today. The changelog contains the individual commits required to fix the vulnerabilities manually.
169
Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS 
170
171
If you are using *any* 1.9.x version of Chamilo, 1.9.10.2 is a minor version, so upgrading is *only* a matter of overwriting the current Chamilo code (removing the home/ directory in the *new* version package is recommended before you overwrite, in case you have a customized homepage).
172
173
If you require assistance applying those fixes, Chamilo Official Providers are trained to help you out in a professional manner.
174
175 40 Yannick Warnier
h3. Issue '#16' - 2015-01-25 - High risk - SQL injection vulnerability in several queries
176
177
A series of security issues have been reported on the 9/12/2014 by Kacper Szurek. Because these vulnerabilities potentially affected numerous parts of the code, we took some time to finish a complete review of Chamilo and decided to publish the fix as part of Chamilo LMS 1.9.10.
178
179
This is considered high-risk because we could not measure precisely the impact it might have had, but we urge all our users to upgrade to Chamilo LMS 1.9.10 as soon as possible to avoid any problematic incidence.
180
181
Initial report: received by e-mail on 9/12/2014
182
Proper report: #7440
183
Fix: The fix is to upgrade to Chamilo LMS 1.9.10, released today. A standalone patch cannot be easily provided because it is too likely to break other parts of the code.
184
Affected versions: These vulnerabilities are likely to affect all previous versions of Chamilo LMS
185
186
If you are using *any* 1.9.x version of Chamilo, 1.9.10 is a minor version, so upgrading is *only* a matter of overwriting the current Chamilo code (removing the home/ directory in the *new* version package is recommended before you overwrite, in case you have a customized homepage).
187
188 42 Yannick Warnier
If you would like to apply a patch manually (and although we *don't* have a complete and secure patch at the moment), you can use the 3 main changes that were applied to fix it. This might not be an exhaustive list and, as always, Chamilo or BeezNest are not responsible for what might happen to your platform (see the GNU/GPLv3 license for details):
189
* https://github.com/chamilo/chamilo-lms/commit/3463b0465f60e07ae03d41c6bd9fd8a8d030de4d
190
* https://github.com/chamilo/chamilo-lms/commit/e01f044d58a7698b44fdda3a73c83eb8181a4910
191
* https://github.com/chamilo/chamilo-lms/commit/28baec78d282baec9aaa2c85f4736921375c3f6a
192
193 37 Yannick Warnier
h3. Issue '#15' - 2014-08-25 - Moderate-high risk - SQL injection in mySpace/users.php
194
195
A security issue has been reported by NeoSys on our forum, which allows a person with access to a course's users tool to pass a specially-crafted "status" parameter to get more results than expected, and potentially access (and modify) other parts of the database.
196
197 38 Yannick Warnier
This is considered moderate-high because it is limited to users having access to it, but because it as possibly high impact.
198 37 Yannick Warnier
199
Initial report: http://www.chamilo.org/phpBB3/viewtopic.php?f=15&t=5443&p=23969#p23969
200
Proper report: #7242
201 1 Yannick Warnier
Fix: (very easy one-liner) https://github.com/chamilo/chamilo-lms/commit/8a75f654066e4ff74567e5b427230117667325d1
202 38 Yannick Warnier
Affected versions: this doesn't *seem* to affect versions of Chamilo LMS previous to 1.9.8.0, as this code was introduced recently, but please make sure you check your own installation to avoid any uncomfortable situation.
203 37 Yannick Warnier
This patch will be included in release 1.9.8.3.
204
205
h3. Issue '#14' - 2014-06-18 - Moderate risk - XSS vulnerability in online editor
206 1 Yannick Warnier
207 39 Yannick Warnier
A security issue has been published for FCKeditor very shortly after the release of Chamilo LMS 1.9.8. Considering we are including a vulnerable version of FCKeditor in our software, we cannot leave this issue unattended, and as such we are releasing Chamilo LMS 1.9.8.1, a patch version for 1.9.8, with just one file patched. See https://github.com/chamilo/chamilo-lms/commit/2b6686e620407ab8d4ceb8951de4ce978917fc93 for more details or if you want to apply the patch manually. This covers CVE-2014-4037.
208 36 Yannick Warnier
209
Considering the relatively short period of time between the release of 1.9.8 and 1.9.8.1, we will still release 1.9.8.1 under the "commercial" name of 1.9.8, and will *link* all previous 1.9.8 links to the new 1.9.8.1 package. The changelog has been updated.
210
Considering you will be updating to 1.9.8.1 anyway, you'll notice that we've added a few (around 5) minor (mostly visual) issues that we caught just after the release of 1.9.8. So you kill 2 birds with one stone.
211
212
As always, being a minor version, you can just overwrite your previous installation with the files from this new package.
213
214 35 Yannick Warnier
h3. Issue '#13' - 2014-05-06 - Moderate risk - XSS vulnerability in user profile fields
215
216
Javier Bloem, independent white hat hacker from Venezuela, reported multiple possible attack vectors in description fields of Chamilo. Although these attacks require at minimum an access as a registered user to the portal, they do represent a vulnerability for those portals that are accepting open registration.
217
218
Patches have been commited to Github as commits:
219
* https://github.com/chamilo/chamilo-lms/commit/94706d7f99f7cb563c2a4f201c016caf7589fce1
220
* https://github.com/chamilo/chamilo-lms/commit/dd9bcd64fee588637914eec529cb489a8e89f2df
221
* https://github.com/chamilo/chamilo-lms/commit/a22589a9b909b32c89fe532d07b621d84b77fb34
222
223
Please update your portal(s) if you are in this case.
224
The fix is available in Chamilo 1.9.8 starting from Beta 1.
225
226 32 Yannick Warnier
h3. Issue '#12' - 2014-03-05 - High risk - File injection through FCKEditor
227
228 33 Noa Orizales Iglesias
Eric Marguin, from agence-codecouleurs.fr, reported an attack related to flaw #11, confirming it at the same time, whereby a skilled attacker injected a php file through an unprotected entry point in our implementation of FCKEditor.
229 32 Yannick Warnier
230
Affected versions: 1.8.*, 1.9.*
231
232 34 Julio Montoya
To fix, please update files:
233
234
<pre>
235
main/inc/lib/fckeditor/editor/plugins/ImageManager/config.inc.php 
236
main/inc/lib/fckeditor/editor/plugins/MP3/fck_mp3.php
237
</pre>
238
239
by adding the following line after the global.inc.php call.
240
241 32 Yannick Warnier
<pre>
242
api_block_anonymous_users();
243
</pre>
244
245
Note that this issue, together with issue #11, are fixed from 1.9.8 onwards.
246
247
h3. Issue '#11' - 2013-12-09 - High risk - File injection through FCKEditor - CONFIRMED
248 30 Yannick Warnier
249
Stijn Michels, one of Chamilo LMS users, reportes in #6860, that he has been attacked through a likely flaw in one of FCKEditor's plugins used in Chamilo LMS, through the fact that it is not checking identification from the user before uploading a file. The attack could not be reproduced. However, we think that preventive correction is important, and we have worked together to publish a patch that can be applied to any 1.8 or 1.9 version of Chamilo.
250
251
Affected versions: 1.8.*, 1.9.*
252
253
To fix, please update your main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php file adding the following on line 19:
254
<pre>
255
api_block_anonymous_users();
256
</pre>
257
and main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php to add 
258
<pre>
259
// Disabling access for anonymous users.
260
api_block_anonymous_users();
261
</pre>
262
263 52 Yannick Warnier
h3. Issue '#10' - 2013-11-06 - Moderate risk - SQL Injection in specific:
264
265
(unrecommended case to add the following on lines 33 and 34)
266 25 Yannick Warnier
267
High-Tech Bridge reported an SQL-injection-type security flaw in version 1.9.6 of Chamilo LMS (which also affects previous versions).
268
This flaw *only affect* Chamilo LMS platforms which use non-encrypted passwords mode (a mode that is available as a non-default option only during Chamilo LMS's installation process and is difficult to change afterwards).
269
If non-encrypted mode is selected (voluntarily) *and* malicious users have access to the profile edition form (which requires an active registered user account on the platform), then this issue represents a very high risk for you!
270
We believe and hope that most of our platform administrators have chosen the default recommended encrypted mode on their platform, but it is important to us to cover all risks. This is why we will be issuing a fix very shortly.
271
272
As a very quick fix, you can just open main/auth/profile.php, go to line 366 (function check_user_password()) and transform the following line:
273
<pre>
274
$password = api_get_encrypted_password($password);
275
</pre>
276
into this:
277
<pre>
278
$password = Database::escape_string(api_get_encrypted_password($password));
279
</pre>
280 1 Yannick Warnier
281 26 Yannick Warnier
This vulnerability has been assigned CVE-2013-6787.
282
283
See https://www.htbridge.com/advisory/HTB23182 for the original official report.
284 25 Yannick Warnier
285 24 Yannick Warnier
h3. Issue '#9' - 2013-08-10 - Low risk - XSS in course title
286
287
Javier Bloem from Venezuela reported (through the Venezuela local group) one XSS flaw, involving the edition of a course title. This was fixed in commit https://github.com/chamilo/chamilo-lms/commit/3c770c201dbe1ce96480a3e51ff25d0b70c83514 (you can update a 1.9.* install just by using the file at https://raw.github.com/chamilo/chamilo-lms/3c770c201dbe1ce96480a3e51ff25d0b70c83514/main/course_info/infocours.php ).
288
This flaw is considered "low risk" because it is an XSS (so stealing sessions is the kind of risk you get) *and* it is only accessible if you have the permission to create and edit courses, which you only get if you're a teacher.
289
It is, however, duly considered as flaw, as the default Chamilo installation *does* allow anybody to create a new teacher user, so it does represent a security risk for all people NOT READING the many recommendations on disabling this possibility as soon as they enter production.
290
291
Download the main/course_info/infocours.php script and replace it in your 1.9 installation from here: https://raw.github.com/chamilo/chamilo-lms/3c770c201dbe1ce96480a3e51ff25d0b70c83514/main/course_info/infocours.php 
292
293 17 Yannick Warnier
h3. Issue '#8' - 2013-03-04 - Moderate risk - Several moderate security flaws
294
295 19 Yannick Warnier
Fernando Muñoz, via Secunia SVCRP., kindly reported 3 flaws through Secunia, affecting at least version 1.9.4 (and most probably all previous versions) of Chamilo LMS.
296 17 Yannick Warnier
297
In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 2 fix mechanisms that we give here by order of increasing level of required skills. We should be publishing 1.9.6 soon, which will include this fix. The patches below are provided for version 1.9.4. You can find the details of the changes here: http://code.google.com/p/chamilo/source/detail?r=c9e8a27f8cde1f04dbe69d3f52a2e34c422bd679&name=1.9.x&repo=classic
298
299 20 Julio Montoya
* Download and apply the files replacement provided here: http://support.chamilo.org/attachments/download/3997/chamilo-1.9.4-vuln-8.zip Put the file directly into the root directory of Chamilo and uncompress there.
300
* Apply the patch provided here: 
301
  For 1.9.4 http://support.chamilo.org/attachments/download/3999/chamilo-1.9.4-vuln-8.patch
302 21 Julio Montoya
  For 1.9.2 and 1.9.0 http://support.chamilo.org/attachments/download/4007/chamilo-1.9.2-vuln-8.patch
303 20 Julio Montoya
  For 1.8.8.6 http://support.chamilo.org/attachments/download/4008/chamilo-1.8.8.6-vuln-8.patch
304 22 Julio Montoya
  For 1.8.8.2 http://support.chamilo.org/attachments/download/4013/chamilo-1.8.8.2-vuln-8.patch
305 23 Julio Montoya
  For 1.8.7.1 http://support.chamilo.org/attachments/download/4014/chamilo-1.8.7.1-vuln-8.patch
306 17 Yannick Warnier
307 18 Yannick Warnier
If you require special assistance, please contact providers@chamilo.org to hire an expert, or ask for help on the forum: http://www.chamilo.org/forum
308
309 17 Yannick Warnier
h3. Issue '#7' - 2012-07-16 - Moderate risk - Several moderate security flaws
310 15 Yannick Warnier
311
Fernando Muñoz kindly reported a series of moderate security flaws in Chamilo 1.8.8.4 (most likely also affecting all previous versions), of two XSS risks and one unauthorized file deletion risk. This has been registered in private task #5202.
312 1 Yannick Warnier
313 15 Yannick Warnier
In order to ensure maximum responsivity of our Chamilo administrators around the world, we provide 3 fix mechanisms that we give here by order of increasing level of required skills:
314
315 20 Julio Montoya
* Download and apply the files replacement provided here: http://support.chamilo.org/attachments/download/2864/patch-1.8.8.6.tgz Put the file directly into the root directory of Chamilo and uncompress there.
316 16 Yannick Warnier
* Download version 1.8.8.6 and follow the normal upgrade procedure: http://code.google.com/p/chamilo/downloads/detail?name=chamilo-1.8.8.6.tar.gz&can=2&q=
317 15 Yannick Warnier
* Apply the patch provided here: http://support.chamilo.org/attachments/download/2863/chamilo-1.8.8.4-to-1.8.8.6.patch
318
319 14 Yannick Warnier
We considered the report was sufficiently serious for us to publish a new minor version of the software. Please apply using one of the three methods above AS SOON AS POSSIBLE.
320 1 Yannick Warnier
321 14 Yannick Warnier
322 17 Yannick Warnier
h3. Issue '#6" - 2011-06-15 - High risk - Several security flaws
323 14 Yannick Warnier
324
Petr Skoda (<security _at_ skodak _dot_ org>) recently reported a series of flaws in Chamilo 1.8.8.2, which have been duly reported here http://support.chamilo.org/issues/3600 and here http://support.chamilo.org/issues/3601 and fixed in prevision for a special corrective 1.8.8.4 release within a few days (probably on the 18th of June). This release will come together with a series of improvements to the code and no upgrade procedure needed.
325
Patches are already available here:
326
327 13 Julio Montoya
* http://code.google.com/p/chamilo/source/detail?r=9ab36506b7099d29c005f4d4860a600e6734c166&repo=classic
328
* http://code.google.com/p/chamilo/source/detail?r=2b9e225f1659d253a8e458dabea5b71e4b57ac9b&repo=classic
329
* http://code.google.com/p/chamilo/source/detail?r=eef0cf45ceb4da084b3c61651fefae61d4e49fe2&repo=classic
330 1 Yannick Warnier
* http://code.google.com/p/chamilo/source/detail?r=7ccba74a526d52c7831781e05ed52311439cf922&repo=classic
331 13 Julio Montoya
332
333 17 Yannick Warnier
h3. Issue '#5' - 2011-01-31 - High risk - Filesystem traversal flaw
334 13 Julio Montoya
335
Fernando Muñoz kindly reported a major security flaw in the document system, by which a user could gain access to the database on lightly-hearted configured servers. 
336
* To fix it, please replace the changes found at 
337
http://code.google.com/p/chamilo/source/browse/main/document/download.php?spec=svn.classic.3c071b2b6555552651a9617b1c92a9a983da875f&repo=classic&r=3c071b2b6555552651a9617b1c92a9a983da875f
338
and
339
http://code.google.com/p/chamilo/source/detail?r=f2254d813f3a44a0a1b1717876b3c81df72a6879&repo=classic
340
341
* To discuss, please connect to http://support.chamilo.org/issues/2722
342
343 1 Yannick Warnier
This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.org
344 13 Julio Montoya
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.
345 11 Yannick Warnier
346
347 17 Yannick Warnier
h3. Issue '#4' - 2011-01-28 - High risk - Filesystem traversal flaw
348 11 Yannick Warnier
349
Fernando Muñoz kindly reported a major security flaw in the gradebook system, by which a user could gain access to the database on lightly-hearted configured servers. 
350
* To fix it, please apply the changes found at http://code.google.com/p/chamilo/source/detail?r=b81c9c8012fa414d246a973aafddbde305c6f6f7&repo=classic
351 1 Yannick Warnier
* To discuss, please connect to http://support.chamilo.org/issues/2705
352 11 Yannick Warnier
353
This flaw is being reported to our Twitter security account and to our mailing-list security@lists.chamilo.org
354 1 Yannick Warnier
The fix will be included in Chamilo 1.8.8, to be released within 14 days, but we recommend applying the patch to any production system straight away.
355 11 Yannick Warnier
356 17 Yannick Warnier
h3. Issue '#3' - 2010-12-09 - Low risk - Wiki and core weaknesses in specific configurations
357 11 Yannick Warnier
358
develop-it.be kindly scanned Chamilo 1.8.8 development version and found several minor issues, which we have fixed and included in 1.8.8 (to be released February 2011)
359 8 Yannick Warnier
360 17 Yannick Warnier
h3. Issue '#2' - 2010-09-29 - High risk - Course directory removal risk through tasks tool
361 4 Yannick Warnier
362 1 Yannick Warnier
At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube "on the Chamilo forum":http://www.chamilo.org/en/node/827.
363
364 5 Yannick Warnier
* Risk level: high
365 1 Yannick Warnier
* Versions affected: *1.8.6.2, 1.8.7, 1.8.7.1*
366 4 Yannick Warnier
* Triggered by: teachers and administrators (no anonymous/student access)
367 1 Yannick Warnier
* Patch: "See patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic
368
369
This security issue's risk level is considered *high* (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe)  but it provokes highly painful damages: it deletes a course directory, entirely.
370
371
This bug affects versions 1.8.6.2, 1.8.7 and 1.8.7.1.
372 4 Yannick Warnier
373 1 Yannick Warnier
At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, "developed a patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic that you can "download as a file":http://classic.chamilo.googlecode.com/hg/main/work/work.php?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d and apply to your Chamilo 1.8.7.1 portal.
374 9 Yannick Warnier
375 10 Yannick Warnier
For previous versions of Chamilo, you will have to look at the patch and apply the differences manually. Suggestions are provided below:
376
* "replacement work.php for 1.8.6.2":/attachments/download/1111/work.php.1862
377 1 Yannick Warnier
* "replacement work.php for 1.8.7":/attachments/download/1112/work.php.187
378
379
The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can  also be triggered by a double click on the delete icon for a student work.
380
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.
381 4 Yannick Warnier
382 1 Yannick Warnier
This bug was introduced "in November of 2009":http://code.google.com/p/chamilo/source/detail?r=d7ccd47395fe823bc521c9faeecb68e44d93197d&repo=classic&path=/main/work/work.php, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.
383 4 Yannick Warnier
384 1 Yannick Warnier
Using the services of an "official Chamilo provider":http://www.chamilo.org/en/providers guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
385
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!
386 2 Yannick Warnier
387 3 Yannick Warnier
Best regards,
388 2 Yannick Warnier
389 3 Yannick Warnier
Yannick Warnier
390 1 Yannick Warnier
Lead developer for Chamilo 1.8
391 7 Yannick Warnier
392 17 Yannick Warnier
h3. Issue '#1' - 2010-08-02 - Wiki issues
393 7 Yannick Warnier
394
Fixed in 1.8.7.1 package.