[URGENT] Hostinger no longer supports Chamilo

[PoleNumeriqueCFASete]

Hi there,

This morning, we noticed that our site hosting Chamilo (v.1.11.26) was no longer available.
After contacting Hostinger support (our hosting provider), we were informed that they had cut off all communication with the site due to a security vulnerability, and that this was directly linked to the Chamilo LMS.

Here is the translation of the message received:
"Hello,
Your website has been suspended due to the detection of a potential security flaw in your Chamilo CMS, installed for (our website).
This may expose your website to security risks, as the vulnerability can be exploited to gain unauthorized access and execute commands.
Due to potential security issues, we will no longer support Chamilo CMS."

We find ourselves in a very uncomfortable situation given that the entire hosting solution is reserved for Chamilo for the convenience of our learners and trainers, and today they no longer have access to the courses and documents at all.

Could you give us a quick solution?

We look forward to hearing from you.

[ywarnier]

Hi @PoleNumeriqueCFASete
Could you ask them to contact [email protected] to disclose additional information about this issue?
We have received no report about such a vulnerability in 1.11.26 and responsible disclosure procedures would suggest that Hostinger having detected such a vulnerability would have contacted us. They can find the procedure here: https://github.com/chamilo/chamilo-lms/wiki/security-issues

[ywarnier]

I realized I didn't answer your question.

Although the costs of hosting with Hostinger are very difficult to match (and so we don't, because we also need to provide some level of support, which apparently is not always the case with Hostinger), you can contact the official providers of Chamilo for a hosting quote. If you want to speed things up, explain (in an e-mail, not here) you are coming from Hostinger and how many users are registered in your Chamilo instance. We've been rescuing a few portals already this week. It takes a few hours but is entirely possible (to move away from Hostinger) as far as a few backup copies are taken from your system on the Hostinger side.

Official Chamilo providers : https://chamilo.org/en/providers/

Please note that, even though it is more expensive, by using Chamilo as a hosted service with an official Chamilo provider, you support the project by contributing financially to its sustainability. We are all small size companies fighting hard to continue providing the Chamilo software for free, and hosting with any of these providers provides the whole project with increased stability and confidence to invest further and accelerate the development efforts.

[PoleNumeriqueCFASete]

Here is their email : [email protected]

[ywarnier]

I want to emphasize that the latest (unrelated) vulnerability report we received through our normal communication channel (as explained in the link https://github.com/chamilo/chamilo-lms/wiki/security-issues) was this Monday 12th of February, so definitely not an issue receiving security reports through the normal channels.

[ywarnier]

Thanks for the e-mail

[ywarnier]

I just sent them an e-mail to get more information.

[ywarnier]

Just got an answer. This relates to an issue that was fixed in Chamilo 1.11.24.

[ywarnier]

OK, so for tall those affected by this issue, this is a short summary : Hostinger got it wrong but not sure they will recognize it. They believe the critical vulnerabilitiy here https://nvd.nist.gov/vuln/detail/CVE-2023-34960 was never addressed and, because of that, they want to protect their other services by preventing any further attack on Chamilo portals. The only thing is Chamilo 1.11.24 already had the fix. The issue is some of you never updated your portals, got hacked, and that gave additional work to Hostinger, so... bye bye Chamilo.

Now this is a long summary:

On the 20th of April 2023, a critical vulnerability was reported in Chamilo. Chamilo provided a patch on the 1st of May (actually we provided a patch previously to the author of the report but had a few exchanges before it was perfected and we published on the 1st of May). This took us 10 days.

We published that information on our security page (now https://github.com/chamilo/chamilo-lms/wiki/security-issues) and on Twitter, where we believed to have the most "tech savvy" Chamilo admins connected. Obviously, calling for the attention of the public at large on a critical vulnerability that allows remote command executions was not a good idea. Not for our image, but because some people just watch for those to find new targets to attack, and we knew our community is a bit slow to update portals (we are still talking today to people now about updating portals installed in 2010, 14 years ago, and never updated).

A few weeks later, a black hat hacker somewhere used the specs of the vulnerability to develop a script that automates the process of finding Chamilo portals and hacking them if they were not patched. This caused a lot of harm, but we had provided a patch and had tried our best to communicate about the issue. Issue #4751 was opened by one of our users to share his frustration and make us find better ways to communicate in the future, and we discussed it there.

Then we published a complete new, unplanned version of Chamilo (1.11.22) on the 3rd of August to help people fix their Chamilo portal more easily (the release process of a new Chamilo version like 1.11.22 was 80+ hours of work, which are not financed by any subvention or customer of any kind, which you have to fit between your working hours for customers and your private life).

Version 1.11.22 thus fixed the issue, but a new issue (same file) was detected later on and we published yet another patch and a bit later a new release, v1.11.24 (less preparation this time around) on the 30st of August 2023. Since then (August 2023), this issue was fixed in the Chamilo software, only that it still needed to be applied to all Chamilo portals worldwide.

How do we do that? Well... we don't have a secret "Batman" spotlight or anything. We don't have the permission to contact you either (GDPR and other personal data protection laws). So we communicated that, several times on our social network and you all saw the official version of Chamilo increase in your administration panel (if you had checked the "Version check" option when you installed Chamilo). So we know we want to implement something in the administration panel to help you know about these stuff, but what if you don't look at that space for a long time (here it only took 2 weeks between the publication of the vulnerability and the patch and someone providing a script to automate an attack).

Now, fast forward from August 2023 to February 2024, Hostinger decided to just cancel all of its Chamilo portals, not because it is the right thing to do, but because they got the wrong information and never asked (we have an open forum, an open issues queue, a security page, a security e-mail and a general information e-mail, all open for this kind of request for information, but no request ever came).

I do respect the business view of Hostinger, that if they want to cut their costs, they have to stop the bleeding. I only lament that they took this decision based on a completely erroneous assumption (that we still didn't fix the issue) and that their communication to you (their customers) was to suggest Chamilo could be insecure, while we have a great security policy and always patch vulnerabilities super quickly.

Now we need to work on how to better, more easily, make you update your portals (at least security-wise) so that you don't pose a threat to your hosting company (in particular ones with very accessible prices). We have started working on this, but this is a long and complicated work. So as always : we are open for help. In the meantime, please follow https://twitter.com/chamilosecurity if you use X, or make sure you check your "Version check" box frequently in your admin panel and update as soon as an update is available, or at minimum check the release notes to see if any security patch is present. You are also part of the Chamilo Community, and you help us lift the Chamilo brand higher by doing this little extra step.

Thank you!

[PoleNumeriqueCFASete]

Hi Mr WARNIER,
thanks for your response and for detailed. Bastien, who working for this difficulty is not yet avalaible. He will respond after February 19 (vacation). We are on the last version of Chamillo (1.11.26), and as we understand for this moment, host Hostinger no longer accept Chamilo at all, due to non -update of other, maybe.
We have the work to migrate at this moment and have some help from Chamilo.
Thanks a lot. Have a good day, Bertrand

[losbit]

Hi there,

As today May 10th Hostinger stills does not longer support Chamilo.

This is the message from support team:

"Your Hosting plan has been suspended as a result of using Chamilo CMS. It has come to our attention that Chamilo CMS poses significant security vulnerabilities, which could potentially impact the smooth delivery of our services.
Regrettably, the constant exploitation of these vulnerabilities has compelled us to suspend Chamilo CMS activity on Hostinger. Hackers specifically exploit Chamilo CMS instances to initiate various attacks, making it imperative for us to take this precautionary measure.
We strongly suspect that the primary attack vector originates from CVE-2023-34960, as reported in the associated issue, which, unfortunately, has remained unresolved since 2023.
Please understand that if Chamilo were to address these vulnerabilities promptly by applying necessary patches or fixes, we would be more than willing to reinstate Chamilo CMS usage on Hostinger. However, for the time being, we are left with no choice but to enforce this suspension to safeguard the stability and security of our hosting environment.

Checking with our team, it is still not possible to install even the newer version of Chamilo.
I do apologize for any inconvenience this issue might have caused you but I assure you that we are leaning towards the full security of all your services with us"

It will be fine whether you contact Hostinger and tell them the security issue is no longer active.

Thank you

[ywarnier]

This is all in their own hands now.
We will release 1.11.28 in a matter of weeks with more security improvements, but the issue they are using to block Chamilo is not in the latest available stable version (1.11.26) so ether they are busy with other stuff or they have a hidden agenda (maybe they feel they have to reduce the number of solutions they support because this costs too much to train their support team), because we have received no further update.