Chamilo LMS H5P Import Feature Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Chamilo LMS versions prior to 1.11.36. This issue arises from an arbitrary file upload flaw in the H5P Import feature, which allows authenticated users with Teacher roles to execute malicious code. The vulnerability exists because the H5P package validation process only verifies the presence of the 'h5p.json' file and fails to restrict the upload of '.htaccess' or PHP files with alternative extensions. Exploitation involves uploading a manipulated H5P package that includes a web shell and an '.htaccess' file configured to permit PHP execution for '.txt' files, thereby circumventing existing security measures.

Impact

Exploitation of this vulnerability leads to full server compromise, with the attacker gaining access as the 'www-data' user. This also allows for extraction of database credentials.

Remediation

Users can upgrade to Chamilo LMS version 1.11.36 or later to address this vulnerability.