Headline
CVE-2021-32925: Fix XML import user_import.php results page · chamilo/chamilo-lms@e71437c
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
@@ -1,4 +1,5 @@ <?php
/* For licensing terms, see /license.txt */
use Chamilo\CoreBundle\Entity\ExtraFieldOptions; @@ -13,7 +14,6 @@ // Set this option to true to enforce strict purification for usenames. $purification_option_for_usernames = false; $userId = api_get_user_id();
api_protect_admin_script(true, null); api_protect_limit_for_session_admin(); set_time_limit(0); @@ -220,7 +220,6 @@ function save_data($users, $sendMail = false) if (!isset($inserted_in_course)) { $inserted_in_course = []; }
$usergroup = new UserGroup(); if (is_array($users)) { $efo = new ExtraFieldOption(‘user’); @@ -433,10 +432,9 @@ function parse_csv_data($users, $fileName, $sendEmail = 0, $checkUniqueEmail = t * * @return array All user information read from the file */ function parse_xml_data($file) function parse_xml_data($file, $sendEmail = 0, $checkUniqueEmail = true) { $crawler = new \Symfony\Component\DomCrawler\Crawler(); $crawler->addXmlContent(file_get_contents($file)); $crawler = Import::xml($file); $crawler = $crawler->filter('Contacts > Contact '); $array = []; foreach ($crawler as $domElement) { @@ -451,6 +449,16 @@ function parse_xml_data($file) } }
Session::write( 'user_import_data_’.api_get_user_id(), [ ‘check_unique_email’ => $checkUniqueEmail, ‘send_email’ => $sendEmail, ‘date’ => api_get_utc_datetime(), ‘log_messages’ => '’, ] );
return $array; }
@@ -548,7 +556,11 @@ function processUsers(&$users, $sendMail) $users = validate_data($users, $checkUniqueEmail); $error_kind_file = false; } elseif (strcmp($file_type, ‘xml’) === 0 && $ext_import_file == $allowed_file_mimetype[1]) { $users = parse_xml_data($_FILES[‘import_file’][‘tmp_name’]); $users = parse_xml_data( $_FILES[‘import_file’][‘tmp_name’], $sendMail, $checkUniqueEmail ); $users = validate_data($users, $checkUniqueEmail); $error_kind_file = false; } @@ -590,15 +602,17 @@ function processUsers(&$users, $sendMail) $formContinue = false; $resumeStop = true; if (!empty($importData)) { $isResume = $importData[‘resume’]; $isResume = $importData[‘resume’] ?? false;
$formContinue = new FormValidator('user_import_continue’, ‘post’, api_get_self()); $label = get_lang(‘Results’); if ($isResume) { $label = get_lang(‘ContinueLastImport’); } $formContinue->addHeader($label); $formContinue->addLabel(get_lang(‘File’), $importData[‘filename’]); if (isset($importData[‘filename’])) { $formContinue->addLabel(get_lang(‘File’), $importData[‘filename’] ?? ‘’); }
$resumeStop = true; if ($isResume) { @@ -614,10 +628,12 @@ function processUsers(&$users, $sendMail) $importData[‘counter’].’ / '.count($importData[‘complete_list’]) ); } else { $formContinue->addLabel( get_lang(‘Users’), count($importData[‘complete_list’]) ); if (!empty($importData[‘complete_list’])) { $formContinue->addLabel( get_lang(‘Users’), count($importData[‘complete_list’]) ); } }
$formContinue->addLabel(
Related news
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.
Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.
A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.