Chamilo OS Command Injection Vulnerability in VChamilo Plugin

A command injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30, specifically within the VChamilo plugin. The issue arises in the 'manage.controller.php' file, where user input is inadequately validated before being passed to the operating system for execution. This flaw allows authenticated users with administrative privileges to execute arbitrary commands on the server, potentially leading to unauthorized access or manipulation of system resources.

Impact

Exploitation of this vulnerability allows for OS command injection, where an attacker can execute arbitrary commands on the server with the privileges of the web server user. In the reported case, this exploitation led to a reverse shell being opened, providing the attacker with command-line access to the server.

Reproduction

To reproduce this vulnerability, an instance of Chamilo LMS with the VChamilo plugin activated is required. After ensuring that the VChamilo plugin is active, navigate to the 'edit instance' page of the VChamilo plugin. In the 'main_database' parameter, inject a command payload wrapped in backticks to execute a command via the 'exec' function. Once the payload is executed, a reverse shell can be obtained by downloading a script file through the injected command execution.

Remediation

Users are advised to update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.