Chamilo LMS SQL Injection Vulnerability in Statistics AJAX Endpoint

A SQL injection vulnerability has been identified in Chamilo LMS versions through 1.11.34, specifically within the statistics AJAX endpoint. The vulnerability arises because the 'date_start' and 'date_end' parameters from the request are directly inserted into a SQL query without adequate sanitization. Although there is a call to 'Database::escape_string()' to escape strings, this is immediately undone by a 'str_replace()' function that restores any injected single quotes, effectively bypassing the escaping. This flaw allows authenticated attackers to inject arbitrary SQL commands, facilitating blind time-based and conditional data extraction from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an authenticated attacker can manipulate database queries. This could lead to unauthorized data access or modification. The vulnerability also enables blind time-based SQL injection, where an attacker can infer information based on the time taken by the database to respond to certain queries.

Reproduction

To reproduce this vulnerability, an authenticated user with admin privileges can send a request to the statistics AJAX endpoint with crafted 'date_start' and 'date_end' parameters. The absence of proper SQL sanitization will allow the injection of arbitrary SQL commands, which can be exploited to extract data from the database under certain conditions.

Remediation

Users are advised to update Chamilo LMS to version 1.11.36, where this vulnerability has been patched.