Chamilo Social Network Module Friend Request Workflow Bypass Vulnerability

A logic vulnerability has been identified in Chamilo's social network module, prior to version 1.11.30. This vulnerability allows an authenticated user to bypass the normal friend request process and forcibly add any user as a friend by directly calling an AJAX endpoint. The exploitation of this vulnerability can lead to the addition of non-existent users and disrupts access control and social interaction logic, potentially causing privacy issues.

Impact

Exploitation of this vulnerability allows for unauthorized addition of friends, access to content intended for friends, pollution of the friend list with fake entries, and impersonation of social relationships.

Reproduction

To reproduce this vulnerability, authenticate as a valid user and navigate to a page where the session and cookies are active. Then, manually send a friend add request to the vulnerable AJAX endpoint, including the ID of the user to be added as a friend. After confirming that the friendship has been established, this process can be repeated with other IDs, effectively adding them as friends without consent or validation of their existence.

Remediation

Users can update to Chamilo version 1.11.30, where this vulnerability has been patched.