Chamilo LMS Deserialization Vulnerability in VChamilO Plugin Import View

A deserialization vulnerability has been identified in Chamilo LMS, specifically in versions prior to 1.11.30. The issue resides within the VChamilO plugin, in the import view. The vulnerability allows an authenticated user with administrative privileges to upload a crafted PHAR file that, upon deserialization, can manipulate the application's logic or potentially execute arbitrary code. This exploitation is made possible by directing user-controlled data to functions that interact with the file system, such as checking directory existence or file readability.

Impact

Exploitation of this vulnerability could lead to unauthorized deserialization of data, allowing attackers to create objects of arbitrary classes, control their properties, and modify the application's behavior. In a demonstrated exploitation, this vulnerability was used to achieve a reverse shell, providing remote command execution on the server.

Reproduction

To reproduce this vulnerability, an attacker must first upload a PHAR file containing a payload, such as a reverse shell, to the server using a user account with the 'Learner' role. This can be done through a file upload feature that accepts arbitrary file extensions. Once the PHAR file is uploaded, an administrator can trigger the vulnerability by accessing the import view of the VChamilO plugin, which deserializes the PHAR file and executes the embedded payload.

Remediation

Users can update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.