Possible RCE Vulnerability In Chamilo LMS Patched

Chamilo LMS at Web Hosting Magic

mPDF is a PHP library that generates PDF files from UTF-8 encoded HTML.

Chamilo uses this library to convert HTML to PDF.

It has been discovered that this can be abused in all 1.11.* versions by anyone able to edit the HTML (so with edition permissions) to trigger a Remote Code Execution vulnerability.

Softaculous, a 1-click app installer has released an update for Chamilo to patch this.

Customers installing new Chamilo applications will use the updated version.

While existing installations were not updated (since the current Chamilo version number is the same), Chamilo believes there are enough conditions and features in Chamilo to mitigate or remove this issue.

There is every reason to believe so as the team behind Chamilo LMS has a great track record for fixing reported security issues & publishing fixes prior to the official publication of the vulnerabilities on official sites.

So when the Chamilo team releases a new version (including the Chamilo 2.0 which is still in development), Softaculous will release the new version.

And existing users can then upgrade their installations to the latest version with the patch.

For more information on the nature of this vulnerability, please visit research.securitum.com

If you want to manually tweak your files, then visit github.com/chamilo/chamilo-lms

Note that this is not limited to Chamilo only.

It is an issue that affects any application using the library.

Chamilo is a learning management system (LMS) and web application often used by schools and educational institutions.

If you would love to know more about this LMS, please visit www.webhostingmagic.com/chamilo-lms-hosting.html to learn more.

Softaculous automates the installation of web applications to a website so that you can focus on using your apps, rather than spending time on installing/managing them.

bbPress Security Vulnerability Fixed With 2.6.5

If you are using the popular WordPress plugin bbPress, please do update the plugin and install the latest version as versions from 2.6.0 to 2.6.4 contain a serious vulnerability.

Many of our customers often uses bbPress to create online forums on their WordPress-powered websites.

The discovered vulnerability allows unauthenticated normal users to escalate their privileges and become an administrator or moderator.

When the intruder gain access as an administrator,  he or she can add/remove posts, topics, and entire forum sections. 

He or she can manage the website settings, including internal spam protection.

And this obviously can lead to data loss, or the disclosure of sensitive information contained in a forum’s private sections.

The vulnerability is caused by flawed callback function bbp_user_add_role_on_register which handles the register_new_user event creates the vulnerability every time a new user is registered.

This file is located at bbpress/includes/users/signups.php.

bbp_user_add_role_on_register blindly and without validation uses the information passed through the bbp-forums-role POST operation. 

With these privileges, attackers can gain access to protected data and do whatever they want on the forum.

Our security rules has been updated to prevent bbPress users from exploiting the vulnerability, while at the same time avoiding false positives.

Please do update at once as the bbp_user_add_role_on_register issue has been fixed with version 2.6.5 now available on production systems.

It now includes a validation logic that ensures only an administrator can grant users such privileges.

When granting such privileges, remember the principle of least privilege which states "that a subject should be given only those privileges needed for it to complete its task".

If a subject does not need an access right, the subject should not have that right.

Further, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.