Chamilo OS Command Injection Vulnerability in Language Management Component

A command injection vulnerability has been identified in Chamilo Learning Management System (LMS) versions prior to 1.11.30. The issue resides in the language management component, specifically within the 'sub_language_ajax.inc.php' file. The vulnerability allows authenticated users with administrative privileges to execute arbitrary operating system commands on the server where Chamilo is hosted. This exploitation occurs through the 'new_language' parameter in a POST request, taking advantage of insufficient input validation before the data is passed to the operating system shell.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the server, potentially leading to further system compromise or data manipulation.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Languages' settings page. Enable the 'Allow definition and use of sub-languages' option. Once this is set, create a sub-language and insert a payload into the 'Original name' field. Save the changes, which will trigger the injection by executing the command via the created language file.

Remediation

Users can update to Chamilo version 1.11.30 or later, where this vulnerability has been patched.