Chamilo LMS Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Chamilo LMS versions prior to 1.11.28. The issue arises because parameters from SOAP requests are evaluated without proper filtering, allowing for arbitrary code execution. This vulnerability is present in the NuSOAP library, specifically in the 'class.soap_server.php' file, where user input can be injected and executed via the 'eval()' function. The vulnerability can be exploited when the 'call_user_func_array' function is disabled in the 'php.ini' configuration, creating a window for unfiltered input to be executed as code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Chamilo LMS is hosted.

Reproduction

To reproduce this vulnerability, first ensure that the 'php.ini' file has 'call_user_func_array' listed under 'disable_functions'. Then, send a SOAP request to 'registration.soap.php' with a payload that includes a command to be executed, such as creating a PHP file that is later executed as a backdoor. This can be done by using the 'shell_exec' function to write a file and then executing it.

Remediation

Users can upgrade to Chamilo LMS version 1.11.28, where this vulnerability has been patched.