Chamilo LMS Server-Side Request Forgery Vulnerability in Social Wall Feature

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability resides in the Social Wall feature, specifically within the 'read_url_with_open_graph' endpoint. This endpoint accepts a URL via the 'social_wall_new_msg_main' POST parameter and performs two server-side HTTP requests to the provided URL without proper validation of whether the target is an internal or external resource. As a result, an authenticated attacker could manipulate the server into making arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata.

Impact

Exploitation of this vulnerability allows authenticated attackers to make unauthorized HTTP requests to internal services, potentially leading to exposure of sensitive data or services. On cloud-hosted instances, this vulnerability could be used to access metadata endpoints and steal cloud credentials.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been patched. Instructions for updating can be found in the Chamilo LMS GitHub repository.