Chamilo Learning Management System OpenID Function Unauthenticated Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in the Chamilo learning management system, specifically in versions prior to 1.11.28. The issue arises in the OpenID function, which allows users to send requests to any URL on the server's behalf without authentication. This vulnerability could be exploited to probe and interact with internal services.

Impact

Exploitation of this vulnerability allows for unauthenticated blind server-side request forgery, where an attacker can send requests to internal services on behalf of the server.

Reproduction

To reproduce this vulnerability, enable the OpenID login function and send a POST request to the 'index.php' page with the 'openid_url' parameter set to a URL on 'localhost' that is not accessible from the outside. The server will then make a request to that URL, demonstrating the SSRF vulnerability.

Remediation

Users can update to Chamilo version 1.11.28 or later, where this vulnerability has been patched.