Chamilo LMS Error-Based SQL Injection Vulnerability in OpenID Authentication

A SQL injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue arises in the OpenID authentication module, specifically within the 'openid.assoc_handle' parameter of the 'index.php' script. This vulnerability allows attackers to manipulate database queries by injecting arbitrary SQL, potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can inject SQL commands that are executed by the database. This could be used to extract database information, manipulate data, or potentially execute administrative operations depending on the database permissions.

Reproduction

To reproduce this vulnerability, the OpenID authentication module must be enabled. An unauthorized user can then send a request to 'index.php' with a crafted 'openid.assoc_handle' parameter that includes SQL injection payloads. The injected SQL is executed by the application, allowing the attacker to manipulate the database query logic. After the injection, the attacker can exploit the SQL injection by, for example, extracting database information through error messages that reveal SQL query details.

Remediation

Users should update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.