Adding security fixes see:

https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues

Author: jmontoyaa

main/auth/profile.php

@@ -356,7 +356,7 @@ function check_user_password($password){
     $user_id = api_get_user_id();
     if ($user_id != strval(intval($user_id)) || empty($password)) { return false; }
     $table_user = Database :: get_main_table(TABLE_MAIN_USER);
-    $password = api_get_encrypted_password($password);
+    $password = Database::escape_string(api_get_encrypted_password($password));
     $sql_password = "SELECT * FROM $table_user WHERE user_id='".$user_id."' AND password='".$password."'";
     $result = Database::query($sql_password);
     return Database::num_rows($result) != 0;

main/course_info/infocours.php

@@ -44,12 +44,12 @@
 
 //LOGIC FUNCTIONS
 function is_settings_editable() {
-	return isset($GLOBALS['course_info_is_editable']) && $GLOBALS['course_info_is_editable'];
+    return isset($GLOBALS['course_info_is_editable']) && $GLOBALS['course_info_is_editable'];
 }
 
 /* MAIN CODE */
 if (!$is_allowedToEdit) {
-	api_not_allowed(true);
+    api_not_allowed(true);
 }
 
 $show_delete_watermark_text_message = false;
@@ -78,8 +78,8 @@ function is_settings_editable() {
 $q_result_titulars = Database::query($s_sql_course_titular);
 
 if (Database::num_rows($q_result_titulars) == 0) {
-	$sql = "SELECT username, lastname, firstname FROM $tbl_user as user, $tbl_admin as admin WHERE admin.user_id=user.user_id ORDER BY ".$target_name." ASC";
-	$q_result_titulars = Database::query($sql);
+    $sql = "SELECT username, lastname, firstname FROM $tbl_user as user, $tbl_admin as admin WHERE admin.user_id=user.user_id ORDER BY ".$target_name." ASC";
+    $q_result_titulars = Database::query($sql);
 }
 
 $a_profs[0] = '-- '.get_lang('NoManager').' --';
@@ -134,7 +134,7 @@ function is_settings_editable() {
 
 
 $form->add_textfield('title', get_lang('Title'), true, array('class' => 'span6'));
-//$form->applyFilter('title', 'html_filter');
+$form->applyFilter('title', 'html_filter');
 $form->applyFilter('title', 'trim');
 
 //$form->add_textfield('tutor_name', get_lang('Professors'), true, array ('size' => '60'));
@@ -154,9 +154,11 @@ function is_settings_editable() {
 $form->addElement('select_language', 'course_language', array(get_lang('Ln'), get_lang('TipLang')));
 
 $form->add_textfield('department_name', get_lang('Department'), false, array('class' => 'span5'));
+$form->applyFilter('department_name', 'html_filter');
 $form->applyFilter('department_name', 'trim');
 
 $form->add_textfield('department_url', get_lang('DepartmentUrl'), false, array('class' => 'span5'));
+$form->applyFilter('department_url', 'html_filter');
 //$form->addRule('tutor_name', get_lang('ThisFieldIsRequired'), 'required');
 
 
@@ -424,7 +426,7 @@ function is_settings_editable() {
 
     //Variables that will be saved in the TABLE_MAIN_COURSE table
     $update_in_course_table = array('title', 'course_language','category_code','department_name', 'department_url','visibility',
-    								'subscribe', 'unsubscribe','tutor_name','course_registration_password', 'legal', 'activate_legal');
+        'subscribe', 'unsubscribe','tutor_name','course_registration_password', 'legal', 'activate_legal');
 
     foreach ($update_values as $index =>$value) {
         $update_values[$index] = Database::escape_string($value);

main/inc/lib/fckeditor/editor/filemanager/connectors/php/config.php

@@ -22,77 +22,87 @@
  * Configuration file for the File Manager Connector for PHP.
  */
 
-// Modifications by Ivan Tcholakov, JUN-2009. 
+// Modifications by Ivan Tcholakov, JUN-2009.
 
 // Some language variables are needed.
 $language_file = array('create_course');
 
 // Loading the global initialization file, Chamilo LMS.
 require_once '../../../../../../global.inc.php';
 
+// Disabling access for anonymous users.
+api_block_anonymous_users();
+
 // Initialization of the repositories.
 require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php' ;
 
-global $Config ;
+global $Config;
 
 // SECURITY: You must explicitly enable this "connector". (Set it to "true").
 // WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
 //		authenticated users can access this file or use some kind of session checking.
 $Config['Enabled'] = true ;
 
-
 // Path to user files relative to the document root.
-//$Config['UserFilesPath']
+$Config['UserFilesPath'] = null;
+
+$userId = api_get_user_id();
+
+
 if (api_is_in_course()) {
-	if (!api_is_in_group()) {
-		// 1. We are inside a course and not in a group.
-		if (api_is_allowed_to_edit()) {
-			$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/';
-		} else {
-			// 1.2. Student	
-			$current_session_id = api_get_session_id();
-			if($current_session_id==0)
-			{
-				$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
-			}
-			else
-			{
-				$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';		
-			}
-		}
-	} else {
-		// 2. Inside a course and inside a group.
-		global $group_properties;
-		$Config['UserFilesPath'] = api_get_path(REL_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
-	}
+    $coursePath = api_get_path(REL_COURSE_PATH).api_get_course_path();
+    if (!api_is_in_group()) {
+        // 1. We are inside a course and not in a group.
+        if (api_is_allowed_to_edit()) {
+            $Config['UserFilesPath'] = $coursePath.'/document/';
+        } else {
+            // 1.2. Student
+            $current_session_id = api_get_session_id();
+            if ($current_session_id == 0) {
+                $Config['UserFilesPath'] = $coursePath.'/document/shared_folder/sf_user_'.$userId.'/';
+            } else {
+                $Config['UserFilesPath'] = $coursePath.'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.$userId.'/';
+            }
+        }
+    } else {
+        $groupId = api_get_group_id();
+        $groupInfo = GroupManager::get_group_properties($groupId);
+        if (!empty($groupInfo)) {
+            // 2. Inside a course and inside a group.
+            $Config['UserFilesPath'] = $coursePath.'/document'.$groupInfo['directory'].'/';
+        }
+    }
 } else {
-	if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
-		// 3. Platform administration activities.
-		$Config['UserFilesPath'] = api_get_path(REL_PATH).'home/default_platform_document/';
-	} else {
-		// 4. The user is outside courses.
-        $my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'rel');
-		$Config['UserFilesPath'] = $my_path['dir'].'my_files/';
-	}
+    if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
+        // 3. Platform administration activities.
+        $Config['UserFilesPath'] = api_get_path(REL_PATH).'home/default_platform_document/';
+    } else {
+        // 4. The user is outside courses.
+        $my_path = UserManager::get_user_picture_path_by_id($userId, 'rel');
+        $Config['UserFilesPath'] = $my_path['dir'].'my_files/';
+    }
 }
 
+if (empty($Config['UserFilesPath'])) {
+    api_not_allowed(true);
+}
 
 // Fill the following value it you prefer to specify the absolute path for the
 // user files directory. Useful if you are using a virtual directory, symbolic
 // link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
 // Attention: The above 'UserFilesPath' must point to the same directory.
-$Config['UserFilesAbsolutePath'] = rtrim(api_get_path(SYS_SERVER_ROOT_PATH), '/') . $Config['UserFilesPath'] ;
+$Config['UserFilesAbsolutePath'] = rtrim(api_get_path(SYS_SERVER_ROOT_PATH), '/').$Config['UserFilesPath'];
 
 // Due to security issues with Apache modules, it is recommended to leave the
 // following setting enabled.
-$Config['ForceSingleExtension'] = true ;
+$Config['ForceSingleExtension'] = true;
 
 // Perform additional checks for image files.
 // If set to true, validate image size (using getimagesize).
 $Config['SecureImageUploads'] = true;
 
 // What the user can do with this connector.
-$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
+$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder');
 
 // Allowed Resource Types.
 $Config['ConfigAllowedTypes'] = array('File', 'Audio', 'Images', 'Flash', 'Media', 'MP3', 'Video', 'Video/flv') ;
@@ -160,8 +170,7 @@
 			$Config['QuickUploadAbsolutePath']['Image']	= $Config['UserFilesAbsolutePath'] ;
 		into:
 			$Config['QuickUploadPath']['Image']			= $Config['FileTypesPath']['Image'] ;
-			$Config['QuickUploadAbsolutePath']['Image'] 	= $Config['FileTypesAbsolutePath']['Image'] ;
-
+			$Config['QuickUploadAbsolutePath']['Image'] 	= $Config['FileTypesAbsolutePath']['Image'];
 */
 
 // Files
@@ -220,5 +229,3 @@
 $Config['FileTypesAbsolutePath']['Video/flv']	= $Config['UserFilesAbsolutePath'] . 'video/flv/' ;
 $Config['QuickUploadPath']['Video/flv']			= $Config['UserFilesPath'] . 'video/flv/' ;
 $Config['QuickUploadAbsolutePath']['Video/flv']	= $Config['UserFilesAbsolutePath'] . 'video/flv/' ;
-
-?>

main/inc/lib/fckeditor/editor/plugins/ImageManager/config.inc.php

@@ -27,62 +27,54 @@
  in this directory and its subdirectories.
 */
 $language_file = array('document');
-include '../../../../../../inc/global.inc.php';
+
+require_once '../../../../../../inc/global.inc.php';
+api_block_anonymous_users();
+
+// Disabling access for anonymous users.
+api_block_anonymous_users();
 
 // Initialization of the repositories.
 require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php';
 
+$userId = api_get_user_id();
+
 // Choosing the repository to be used.
-if (api_is_in_course())
-{
-	if (!api_is_in_group())
-	{
-		// 1. We are inside a course and not in a group.
-		if (api_is_allowed_to_edit())
-		{
-			// 1.1. Teacher
-			$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/';
-			$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/';
-		}
-		else
-		{
-			// 1.2. Student			
-			$current_session_id = api_get_session_id();
-			if($current_session_id==0)
-			{
-				$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
-				$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.api_get_user_id().'/';
-			}
-			else
-			{
-				$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';
-				$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$current_session_id.'/sf_user_'.api_get_user_id().'/';	
-			}	
-		}
-	}
-	else
-	{
-		// 2. Inside a course and inside a group.
-		$IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
-		$IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
-	}
-}
-else
-{
-	if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin')
-	{
-		// 3. Platform administration activities.
-		$IMConfig['base_dir'] = $_configuration['root_sys'].'home/default_platform_document/';
-		$IMConfig['base_url'] = $_configuration['root_web'].'home/default_platform_document/';
-	}
-	else
-	{
-		// 4. The user is outside courses.
-        $my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'system');
-		$IMConfig['base_dir'] = $my_path['dir'].'my_files/';
-        $my_path = UserManager::get_user_picture_path_by_id(api_get_user_id(),'web');
-		$IMConfig['base_url'] = $my_path['dir'].'my_files/';
-	}
+if (api_is_in_course()) {
+    if (!api_is_in_group()) {
+        // 1. We are inside a course and not in a group.
+        if (api_is_allowed_to_edit()) {
+            // 1.1. Teacher
+            $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/';
+            $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/';
+        } else {
+            // 1.2. Student
+            $sessionId = api_get_session_id();
+            if ($sessionId == 0) {
+                $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.$userId.'/';
+                $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder/sf_user_'.$userId.'/';
+            } else {
+                $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$sessionId.'/sf_user_'.$userId.'/';
+                $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document/shared_folder_session_'.$sessionId.'/sf_user_'.$userId.'/';
+            }
+        }
+	} else {
+        // 2. Inside a course and inside a group.
+        $IMConfig['base_dir'] = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
+        $IMConfig['base_url'] = api_get_path(WEB_COURSE_PATH).api_get_course_path().'/document'.$group_properties['directory'].'/';
+    }
+} else {
+    if (api_is_platform_admin() && $_SESSION['this_section'] == 'platform_admin') {
+        // 3. Platform administration activities.
+        $IMConfig['base_dir'] = $_configuration['root_sys'].'home/default_platform_document/';
+        $IMConfig['base_url'] = $_configuration['root_web'].'home/default_platform_document/';
+    } else {
+        // 4. The user is outside courses.
+        $my_path = UserManager::get_user_picture_path_by_id($userId, 'system');
+        $IMConfig['base_dir'] = $my_path['dir'].'my_files/';
+        $my_path = UserManager::get_user_picture_path_by_id($userId, 'web');
+        $IMConfig['base_url'] = $my_path['dir'].'my_files/';
+    }
 }
 
 $IMConfig['server_name'] = $_SERVER['SERVER_NAME'];
@@ -91,11 +83,8 @@
  demo - when true, no saving is allowed
 */
 $IMConfig['demo'] = false;
-
 /*
-
   Possible values: true, false
-
   TRUE - If PHP on the web server is in safe mode, set this to true.
          SAFE MODE restrictions: directory creation will not be possible,
 		 only the GD library can be used, other libraries require

main/inc/lib/fckeditor/editor/plugins/MP3/fck_mp3.php

@@ -2,6 +2,10 @@
 // name of the language file that needs to be included
 $language_file = array('resourcelinker','document');
 include('../../../../../../inc/global.inc.php');
+
+// Disabling access for anonymous users.
+api_block_anonymous_users();
+
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <html>

main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/inc/config.php

@@ -16,8 +16,9 @@
 // Loading the global initialization file.
 require_once '../../../../../../inc/global.inc.php';
 
-// Loading document repositories settings.
+api_block_anonymous_users();
 
+// Loading document repositories settings.
 require_once api_get_path(LIBRARY_PATH).'fckeditor/repository.php';
 
 //FILESYSTEM CONFIG
@@ -48,7 +49,6 @@ function secureFileName($input) {
 define('DIR_AJAX_EDIT_AREA', DIR_AJAX_JS.'edit_area'.DIRECTORY_SEPARATOR);
 define('DIR_LANG', DIR_AJAX_ROOT.'langs'.DIRECTORY_SEPARATOR);
 
-
 //Class Declarations
 define('CLASS_FILE', DIR_AJAX_INC.'class.file.php');
 define("CLASS_UPLOAD", DIR_AJAX_INC.'class.upload.php');
@@ -69,7 +69,6 @@ function secureFileName($input) {
 
 require_once dirname(__FILE__).DIRECTORY_SEPARATOR.$configBaseFileName;
 
-
 // Loading the selected language file.
 require_once DIR_AJAX_LANGS.CONFIG_LANG_DEFAULT.".php";
 
@@ -116,4 +115,4 @@ function secureFileName($input) {
 define('CONFIG_URL_LIST_LISTING', 'ajax_get_file_listing.php');
 define('CONFIG_URL_IMG_THUMBNAIL', $web_path.'ajax_image_thumbnail.php');
 define('CONFIG_URL_FILEnIMAGE_MANAGER', 'ajaxfilemanager.php');
-define('CONFIG_URL_FILE_PASTE', 'ajax_file_paste.php');
+define('CONFIG_URL_FILE_PASTE', 'ajax_file_paste.php');