Project

General

Profile

Security issues » History » Revision 7

Revision 6 (Yannick Warnier, 30/09/2010 18:51) → Revision 7/80 (Yannick Warnier, 30/09/2010 18:55)

h1. Security issues

{{>toc}}

h2. Issue #2 - 2010-09-29 - High risk - Course directory removal risk through tasks tool

At around 11:55, Belgian time, on 29/09/2010, a new security issue has been reported by user mdube "on the Chamilo forum":http://www.chamilo.org/en/node/827.

* Risk level: high
* Versions affected: *1.8.6.2, 1.8.7, 1.8.7.1*
* Triggered by: teachers and administrators (no anonymous/student access)
* Patch: "See patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic

This security issue's risk level is considered *high* (on a scale of critical, high, moderate and low) in the sense you require edition permissions in the course to provoke it (relatively safe) but it provokes highly painful damages: it deletes a course directory, entirely.

This bug affects versions 1.8.6.2, 1.8.7 and 1.8.7.1.

At 21:00, Belgian time (less than 12 hours later), Julio Montoya, on behalf of BeezNest, "developed a patch":http://code.google.com/p/chamilo/source/detail?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d&repo=classic that you can "download as a file":http://classic.chamilo.googlecode.com/hg/main/work/work.php?r=9cd63d72154d7c0ac0d7fb9858bc37e83c0ec44d and apply to your Chamilo 1.8.7.1 portal.

For previous versions of Chamilo, you will have to look at the patch and apply the differences manually.

The problem can be reproduced by trying to delete an un-existing student work from a course. The delete URL can be crafted manually, but it can also be triggered by a double click on the delete icon for a student work.
This means that if you have teachers accidentally double-clicking on the delete icon, they can delete the entire course directory. The only solution then is to restore the course directory quickly from your daily backup.

This bug was introduced "in November of 2009":http://code.google.com/p/chamilo/source/detail?r=d7ccd47395fe823bc521c9faeecb68e44d93197d&repo=classic&path=/main/work/work.php, while still working on Dok€os, by a then member of the BeezNest team trying to fix a complex issue by using the permanently_remove_deleted_files parameter to decide whether to delete the files permanently or to leave them on disk. This flaw could apply to Dok€os 2.0 (cannot be checked until the code is made available). The developer doesn't work with us anymore, and we have considerably improved the review process, but this specific kind of bug implies a peer review process, and this can only come with regular investment.

Using the services of an "official Chamilo provider":http://www.chamilo.org/en/providers guarantees your contributions go to Chamilo and help many other organizations and people around the world, just as
you benefit from contributions from many others. Contribute to the Chamilo project using our official providers services and encourage our healthy and socially responsible economical model!

Best regards,

Yannick Warnier
Lead developer for Chamilo 1.8

h2. Issue #1 - 2010-08-02 - Wiki issues

Fixed in 1.8.7.1 package.