Security issues » History » Revision 7

Revision 6 (Yannick Warnier, 30/09/2010 18:51) → Revision 7/80 (Yannick Warnier, 30/09/2010 18:55)

h1. Security issues


h2. Issue #2 - 2010-09-29 - High risk - Course directory removal risk through tasks tool

At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube "on the Chamilo forum":

* Risk level: high
* Versions affected: *, 1.8.7,*
* Triggered by: teachers and administrators (no anonymous/student access)
* Patch: "See patch":

This security issue's risk level is considered *high* (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.

This bug affects versions, 1.8.7 and

At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, "developed a patch": that you can "download as a file": and apply to your Chamilo portal.

For previous versions of Chamilo, you will have to look at the patch and apply the differences manually.

The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.

This bug was introduced "in November of 2009":, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.

Using the services of an "official Chamilo provider": guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!

Best regards,

Yannick Warnier
Lead developer for Chamilo 1.8

h2. Issue #1 - 2010-08-02 - Wiki issues

Fixed in package.