Chamilo LMS Time-Based SQL Injection Vulnerability in Web Services Registration SOAP Endpoint

A time-based SQL injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue resides in the web services registration SOAP endpoint, specifically within the 'WSCertificatesList' function. The vulnerability allows an attacker to manipulate SQL queries by injecting arbitrary SQL statements through the 'startingDate' and 'endingDate' parameters. This exploitation takes advantage of insufficient input validation, enabling attackers to modify database query logic and potentially access or manipulate database information.

Impact

Exploitation of this vulnerability allows for time-based SQL injection, where an attacker can interfere with the application's database queries. This could be used to extract information from the database or manipulate data, depending on the application's database permissions.

Reproduction

To reproduce this vulnerability, send a SOAP request to the 'registration.soap.php' endpoint. Include the 'startingDate' and 'endingDate' parameters. The 'endingDate' parameter can be crafted to include a SQL injection payload, such as a UNION SELECT statement that includes a sleep function. The application will take longer to respond, indicating that the injection was successful.

Remediation

Users should update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.