CVE-2021-34187 – This SQL injection vulnerability in Chamilo LMS... (How to Fix)

Q: What is the severity of CVE-2021-34187?

CVE-2021-34187 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Chamilo LMS allows attackers to execute arbitrary SQL commands via the searchField, filters, or filters2 parameters in the model.ajax.php endpoint. It affects all Chamilo installations through version 1.11.14, potentially enabling unauthorized data access, modification, or deletion.

📋 TL;DR

This SQL injection vulnerability in Chamilo LMS allows attackers to execute arbitrary SQL commands via the searchField, filters, or filters2 parameters in the model.ajax.php endpoint. It affects all Chamilo installations through version 1.11.14, potentially enabling unauthorized data access, modification, or deletion.

💻 Affected Systems

Products:

Chamilo LMS

Versions: All versions through 1.11.14

Operating Systems: All platforms running Chamilo

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the main/inc/ajax/model.ajax.php endpoint which is part of standard Chamilo installations.

📦 What is this software?

Chamilo by Chamilo

View all CVEs affecting Chamilo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive user data, course materials, and administrative information stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web requests without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with public proof-of-concept references, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Chamilo 1.11.15 and later

Vendor Advisory: https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Update to Chamilo 1.11.15 or later. 3. Apply the security patches from the GitHub commits. 4. Verify the fix by testing the vulnerable endpoints.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for searchField, filters, and filters2 parameters to block SQL injection attempts.

Modify main/inc/ajax/model.ajax.php to sanitize user inputs before processing

Web Application Firewall Rule

all

Block requests containing SQL injection patterns targeting the model.ajax.php endpoint.

Configure WAF to block patterns like UNION SELECT, OR 1=1, --, ;, etc. in parameters

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in the affected PHP file
Restrict access to the model.ajax.php endpoint using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Test the /main/inc/ajax/model.ajax.php endpoint with SQL injection payloads in searchField, filters, or filters2 parameters and observe database errors or unexpected responses.

Check Version:

Check the Chamilo version in the admin panel or review the main/inc/conf/configuration.php file for version information.

Verify Fix Applied:

After patching, test the same endpoint with SQL injection payloads and verify they are rejected or properly sanitized without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple requests to model.ajax.php with suspicious parameter values
Database query patterns containing UNION, SELECT, FROM in user inputs

Network Indicators:

HTTP POST/GET requests to model.ajax.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_server_logs" AND uri="/main/inc/ajax/model.ajax.php" AND (param="*UNION*" OR param="*SELECT*" OR param="*FROM*")

📊 Metadata

CVE ID: CVE-2021-34187

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59 Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571 Patch,Third Party Advisory
https://murat.one/?p=118 Exploit,Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection Patch,Vendor Advisory
https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59 Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571 Patch,Third Party Advisory
https://murat.one/?p=118 Exploit,Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34187, you might also want to check these: