CVE-2025-50192 Overview
CVE-2025-50192 is a time-based SQL injection vulnerability affecting Chamilo Learning Management System (LMS) prior to version 1.11.30. The vulnerability exists in the /main/webservices/registration.soap.php endpoint, which fails to properly sanitize user-supplied date parameters before incorporating them into SQL queries. This allows unauthenticated attackers to inject malicious SQL statements that can exfiltrate sensitive data from the database or cause denial of service conditions.
Chamilo is a widely-used open-source e-learning and content management system deployed by educational institutions and organizations worldwide. The affected SOAP webservice endpoint is responsible for handling certificate registration queries, making this a particularly sensitive attack surface for systems managing student records and credentials.
Critical Impact
Unauthenticated attackers can exploit this SQL injection vulnerability over the network to extract sensitive database contents including user credentials, student records, and certificate information, or cause service disruptions through resource exhaustion.
Affected Products
- Chamilo LMS versions prior to 1.11.30
- Systems with SOAP webservices enabled at /main/webservices/registration.soap.php
- All deployments using the vulnerable certificate query functionality
Discovery Timeline
- 2026-03-02 - CVE-2025-50192 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2025-50192
Vulnerability Analysis
The vulnerability resides in the certificate query functionality within the SOAP registration service. The application constructs SQL queries dynamically using date parameters ($startingDate and $endingDate) supplied through SOAP requests without proper sanitization or parameterization.
This is a classic time-based blind SQL injection vulnerability. In blind SQL injection scenarios, the application does not return database error messages or query results directly to the attacker. Instead, attackers infer information by observing timing differences in server responses when injecting conditional statements that cause database delays (e.g., using SLEEP() or BENCHMARK() functions in MySQL).
The network-accessible nature of this vulnerability, combined with no authentication requirements, significantly increases its exploitability. Attackers can systematically extract entire database contents character by character by measuring response time differentials.
Root Cause
The root cause is improper input validation and the use of string concatenation to build SQL queries (CWE-89: SQL Injection). The vulnerable code directly interpolates user-controlled date values into SQL WHERE clauses using string formatting:
WHERE certificate.created_at BETWEEN '$startingDate' AND '$endingDate'
This pattern allows attackers to break out of the string context and inject arbitrary SQL commands. The lack of prepared statements or parameterized queries means there is no separation between SQL code and user data.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends crafted SOAP requests to the /main/webservices/registration.soap.php endpoint with malicious payloads in the date parameters.
$userTable = Database::get_main_table(TABLE_MAIN_USER);
$categoryTable = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
- $query = "SELECT
- certificate.id,
- user.username,
- category.course_code,
- category.session_id,
- certificate.user_id,
- certificate.cat_id,
- certificate.created_at,
- certificate.path_certificate
- FROM $certificateTable AS certificate
- JOIN $userTable AS user
- ON certificate.user_id = user.user_id
- JOIN $categoryTable AS category
- ON certificate.cat_id = category.id";
+ $conditions = [];
if (!empty($startingDate) && !empty($endingDate)) {
- $query .= " WHERE certificate.created_at BETWEEN '$startingDate' AND '$endingDate'";
+ $conditions['certificate.created_at BETWEEN ? AND ?'] = [$startingDate, $endingDate];
} elseif (!empty($startingDate)) {
- $query .= " WHERE certificate.created_at >= '$startingDate'";
+ $conditions['certificate.created_at >= ?'] = [$startingDate];
} elseif (!empty($endingDate)) {
- $query .= " WHERE certificate.created_at <= '$endingDate'";
+ $conditions['certificate.created_at <= ?'] = [$endingDate];
}
Source: GitHub Commit fd0f2a9
The fix replaces direct string interpolation with parameterized queries using placeholder syntax (?), ensuring date values are properly escaped and treated as data rather than executable SQL code.
Detection Methods for CVE-2025-50192
Indicators of Compromise
- Unusual or malformed SOAP requests to /main/webservices/registration.soap.php containing SQL syntax
- HTTP requests with date parameters containing single quotes, SLEEP(), BENCHMARK(), or WAITFOR functions
- Abnormally slow response times from the SOAP endpoint indicating time-based injection attempts
- Web server logs showing repeated requests to the registration SOAP service with varying payloads
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in SOAP request bodies
- Monitor for requests containing SQL time-delay functions (SLEEP, BENCHMARK, WAITFOR DELAY) in date parameters
- Implement anomaly detection for response time variations on the affected endpoint
- Review access logs for sequential requests with incrementing or binary search-pattern payloads typical of blind SQL injection tools
Monitoring Recommendations
- Enable detailed logging for all SOAP webservice endpoints in Chamilo
- Set up alerting for database query execution times exceeding normal thresholds
- Monitor network traffic to the Chamilo server for automated SQL injection scanning tools (sqlmap, jSQL)
- Track failed or malformed SOAP requests as potential reconnaissance activity
How to Mitigate CVE-2025-50192
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.30 or later immediately
- If immediate patching is not possible, disable or restrict access to the SOAP webservices endpoint
- Review database access logs for evidence of prior exploitation
- Consider implementing IP-based access controls for the webservices directory
Patch Information
Chamilo has released version 1.11.30 which addresses this vulnerability by implementing parameterized queries for date handling in the SOAP registration service. The security patch is available in commit fd0f2a95b21fa28da47d785c88b879a77951b0f7. For detailed information, refer to the GitHub Security Advisory GHSA-g389-qq92-qxxf and the v1.11.30 release.
Workarounds
- Disable SOAP webservices entirely if not required by blocking access to /main/webservices/
- Implement network-level access controls to restrict SOAP endpoint access to trusted IP addresses only
- Deploy a WAF with SQL injection detection rules as a temporary mitigation layer
- Monitor the affected endpoint closely while planning the upgrade
# Block access to SOAP webservices directory in Apache
<Directory "/var/www/chamilo/main/webservices">
Require ip 192.168.1.0/24
# Or deny all access if SOAP services are not needed
# Require all denied
</Directory>
# For nginx, add to server block:
# location /main/webservices/ {
# allow 192.168.1.0/24;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
