Chamilo OS Command Injection Vulnerability in VChamilo Plugin

A command injection vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue resides in the VChamilo plugin, specifically within the 'editinstance.php' file. The vulnerability allows authorized users with administrative privileges to inject and execute arbitrary commands on the server via the 'main_database' parameter. This exploitation occurs during the 'addInstance' function, where the injected commands are processed and executed using the 'exec' function, leading to potential unauthorized access or manipulation of the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running in the context of the web server user. This could lead to unauthorized access, data manipulation, or further exploitation of the server.

Reproduction

To reproduce this vulnerability, an instance of Chamilo LMS with the VChamilo plugin activated is required. An administrative user must be logged in. The vulnerability can be exploited by navigating to the 'editinstance.php' view and injecting a command payload into the 'main_database' parameter. Once the instance is saved, the injected command is executed on the server.

Remediation

Users are advised to update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.