Chamilo LMS Arbitrary File Upload Vulnerability in elfinder Filemanager Module

An arbitrary file upload vulnerability exists in Chamilo LMS versions through 1.11.8. This issue allows authenticated users to upload and execute PHP files via the elfinder filemanager module. Exploitation involves uploading files with image headers in the 'my files' section, renaming them to PHP extensions, and executing arbitrary code by accessing the uploaded files.

Impact

Successful exploitation allows for arbitrary file upload, with the potential execution of uploaded PHP files, leading to arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file through the elfinder filemanager module. After registration, the 'my files' section can be accessed. Files can be uploaded in GIF format, renamed to PHP extensions, and if the rename function is disabled, a specific header can be added to bypass this restriction. Once uploaded, the files can be accessed and executed, exploiting the uploaded PHP code.