Chamilo Learning Management System Error-Based SQL Injection Vulnerability in HotPotatoes Exercise Component

A high-severity error-based SQL injection vulnerability has been identified in Chamilo Learning Management System (LMS) versions prior to 1.11.30. The issue arises in the HotPotatoes exercise component, specifically within the '/main/exercise/hotpotatoes.php' script. The vulnerability allows an authorized user with administrator privileges to inject arbitrary SQL statements via the 'userFile' parameter in a POST request, manipulating the database query logic and potentially leading to unauthorized data access or modification.

Impact

Exploitation of this vulnerability allows for error-based SQL injection, where an attacker can inject SQL commands that are executed by the database. This could be used to extract, modify, or delete database information. In this case, the injection could be exploited to execute database functions, such as retrieving the database management system version, indicating the possibility of further exploitation.

Reproduction

To reproduce this vulnerability, an authorized user with administrator rights can upload a file through the 'userFile' parameter via a POST request to the '/main/exercise/hotpotatoes.php' script. The file name should be crafted to include SQL injection payloads, such as injecting SQL commands that exploit the application's SQL query handling. Once the file is uploaded, the injected SQL commands will be executed by the database, demonstrating the SQL injection vulnerability.

Remediation

Users can update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.