Chamilo LMS SQL Injection Vulnerability in Vchamilo Plugin

A SQL injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue arises from insufficient validation of user-supplied data in the GET value parameter of two scripts: '/plugin/vchamilo/views/syncparams.php' and '/plugin/vchamilo/ajax/service.php'. This lack of proper validation allows an attacker to inject arbitrary SQL statements, potentially altering the logic of database queries. The vulnerability can be exploited by an authorized user with administrative privileges.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can manipulate SQL queries and potentially access or modify database information.

Reproduction

To reproduce this vulnerability, the Vchamilo module must be enabled. Once activated, an authenticated user with administrative rights can send a GET request to '/plugin/vchamilo/ajax/service.php' or '/plugin/vchamilo/views/syncparams.php' with crafted SQL injection payloads in the 'what', 'settingid', and 'value' parameters. The injection can be verified by observing database error responses that indicate successful exploitation.

Remediation

Users are advised to update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.