Chamilo Learning Management System Remote Code Execution Vulnerability via Post-Authentication Phar Unserialization

A remote code execution vulnerability has been identified in Chamilo Learning Management System versions 1.11.12 prior to 1.11.26. This issue arises from a post-authentication Phar unserialization flaw, allowing an administrator to execute arbitrary code on the server. The vulnerability can be exploited by leveraging multiple features of the virtualization plugin, vchamilo.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Chamilo is hosted.

Reproduction

To reproduce this vulnerability, first enable the Virtualization plugin vchamilo. Then, generate a Phar payload using a tool like phpggc, targeting a command execution payload (such as one that executes the 'id' command). Upload this payload as a PNG file through the 'myfiles' upload feature. After uploading, retrieve the file's URL. Next, configure the vchamilo plugin to use the uploaded Phar file by setting the 'Container effectif de cours' parameter to 'phar://'. Clear the application's cache to ensure the changes take effect. Finally, trigger the vulnerability by accessing the 'manage.testdatapath.php' endpoint of the vchamilo plugin, specifying the path to the uploaded file. This will execute the payload on the server, resulting in remote code execution.

Remediation

Users can upgrade to Chamilo version 1.11.28, where this vulnerability has been patched.