Chamilo LMS Path Traversal Vulnerability Leading to Arbitrary File Deletion

A path traversal vulnerability allowing arbitrary file deletion has been identified in Chamilo LMS versions prior to 1.11.38. The issue resides in the 'main/exercise/savescores.php' file, where user input from the '$_REQUEST['test']' variable is directly appended to a file path without proper validation or traversal checks. This flaw enables authenticated users to delete files outside the designated course 'document' directory, depending on the web server's file system permissions.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files on the server, potentially leading to the removal of critical application or system files.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to 'main/exercise/savescores.php' with a crafted 'test' parameter that includes traversal sequences. The absence of path validation will allow the request to delete files outside the intended directory.

Remediation

Users can update to Chamilo LMS version 1.11.38 or 2.0, both of which include the necessary path validation and traversal checks. Instructions for downloading the latest version are available on the Chamilo LMS GitHub releases page.