Chamilo OS Command Injection Vulnerability in VChamilo Plugin

A command injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue resides in the VChamilo plugin, specifically within the import.php file. The vulnerability allows authorized users with administrator privileges to execute arbitrary operating system commands on the server where Chamilo is hosted. This is achieved by manipulating the 'to_main_database' parameter in a POST request, which is not properly sanitized before being executed as a command.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the server, potentially leading to a full compromise of the application and its data.

Reproduction

To reproduce this vulnerability, first ensure that the VChamilo plugin is activated. Then, send a POST request to '/plugin/vchamilo/views/import.php' with a crafted 'to_main_database' parameter that includes the command to be executed. The command injection can be verified by executing a command that, for example, creates a reverse shell connection back to the attacker.

Remediation

Users are advised to update to Chamilo version 1.11.30 or later, where this vulnerability has been patched.