CVE-2021-35414
📋 TL;DR
CVE-2021-35414 is an unauthenticated SQL injection vulnerability in Chamilo LMS v1.11.x that allows attackers to execute arbitrary SQL commands via the 'doc' parameter in the Compilatio plagiarism module. This affects all Chamilo LMS installations using vulnerable versions with the Compilatio module enabled. Attackers can potentially access, modify, or delete database content without authentication.
💻 Affected Systems
- Chamilo LMS
📦 What is this software?
Chamilo Lms by Chamilo
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Chamilo database leading to data theft, data destruction, privilege escalation to administrative access, and potential remote code execution through database functions.
Likely Case
Extraction of sensitive user data (credentials, personal information), manipulation of course content and grades, and potential lateral movement within the system.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted to minimum necessary privileges.
🎯 Exploit Status
Multiple public writeups and proof-of-concept examples exist. The vulnerability requires no authentication and has straightforward exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Chamilo LMS v1.11.10 and later (patches available in commits 36149c1, 6a98e32, f398b5b)
Vendor Advisory: https://github.com/chamilo/chamilo-lms/security/advisories
Restart Required: No
Instructions:
1. Update to Chamilo LMS v1.11.10 or later. 2. Apply the specific commits that fix the SQL injection in main/plagiarism/compilatio/upload.php. 3. Verify the patch by checking that parameterized queries or proper input validation is implemented for the 'doc' parameter.
🔧 Temporary Workarounds
Disable Compilatio Module
linuxTemporarily disable or remove the Compilatio plagiarism module to prevent exploitation while patching.
mv main/plagiarism/compilatio/upload.php main/plagiarism/compilatio/upload.php.disabled
Web Application Firewall Rule
allImplement WAF rules to block SQL injection patterns targeting the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for the 'doc' parameter in upload.php using prepared statements with parameterized queries.
- Restrict network access to the Chamilo instance using firewall rules to limit exposure to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check if your Chamilo version is 1.11.8 or earlier and if the file main/plagiarism/compilatio/upload.php exists without the security patches applied.Check Version:
Check the version in Chamilo's main/inc/conf/configuration.php or via the admin interface.Verify Fix Applied:
Verify that the upload.php file includes proper input validation (e.g., prepared statements) for the 'doc' parameter and that your Chamilo version is 1.11.10 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs related to upload.php
- Multiple failed SQL query attempts with malformed 'doc' parameter values
- Unexpected database queries originating from the Compilatio module
Network Indicators:
- HTTP requests to /main/plagiarism/compilatio/upload.php with SQL injection patterns in parameters
- Unusual outbound database connections from the web server
SIEM Query:
source="web_logs" AND uri="/main/plagiarism/compilatio/upload.php" AND (param="doc" AND value MATCHES "(?i)(SELECT|UNION|INSERT|DELETE|UPDATE|DROP|OR|AND|'|--|#|;)")🔗 References
- https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-2-in-plugin
- https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-in-compilatio-module
- https://github.com/chamilo/chamilo-lms/commit/36149c1ff99973840a809bb865f23e1b23d6df00
- https://github.com/chamilo/chamilo-lms/commit/6a98e32bb04aa66cbd0d29ad74d7d20cc7e7e9c5
- https://github.com/chamilo/chamilo-lms/commit/f398b5b45c019f873a54fe25c815dbaaf963728b
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-59-2021-05-13-High-impact-low-risk-Unauthenticated-SQL-injection-vulnerability-when-a-module-is-enabled
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-65-2021-05-15-High-impact-very-high-risk-Unauthenticated-SQL-injection-in-plugin
- https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-2-in-plugin
- https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-in-compilatio-module
- https://github.com/chamilo/chamilo-lms/commit/36149c1ff99973840a809bb865f23e1b23d6df00
- https://github.com/chamilo/chamilo-lms/commit/6a98e32bb04aa66cbd0d29ad74d7d20cc7e7e9c5
- https://github.com/chamilo/chamilo-lms/commit/f398b5b45c019f873a54fe25c815dbaaf963728b
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-59-2021-05-13-High-impact-low-risk-Unauthenticated-SQL-injection-vulnerability-when-a-module-is-enabled
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-65-2021-05-15-High-impact-very-high-risk-Unauthenticated-SQL-injection-in-plugin
