Chamilo LMS SocialController IDOR Vulnerability in Legal Consent Handling

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions through 2.0.0 Beta 1. This issue resides in the SocialController.php file, specifically within the deleteLegal function of the Legal Consent Handler component. The vulnerability allows authenticated users to manipulate the userId parameter in POST requests, enabling unauthorized access to other users' legal consent and privacy-related data. The lack of proper authorization checks when reading the userId from the request body is the root cause, allowing attackers to delete or modify legal consent records without permission.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion or modification of legal consent records for any user, potentially causing issues with account access and violating GDPR compliance.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /social-network/delete-legal endpoint, including a userId parameter that corresponds to another user. The request will be processed without any authorization checks, allowing the attacker to delete the targeted user's legal consent record.

Remediation

It is recommended to replace the user-controlled userId parameter with the authenticated user's ID, ensuring that only authorized users can modify legal consent records. If admin access to other users' data is required, implement a check to verify that the user has the necessary permissions.