Chamilo LMS OS Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in Chamilo LMS, specifically in versions prior to 1.11.38 and 2.0.0-RC.3. The issue arises in the file management library, where the 'move' function directly passes user-controlled path values into 'exec()' commands without proper sanitization. This vulnerability can be exploited by authenticated users, particularly teachers, who can manipulate document movement to execute arbitrary commands on the server as the web server user.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server with the privileges of the web server user, 'www-data'. This could lead to remote code execution, allowing attackers to execute any command on the server, potentially compromising the entire server by accessing and manipulating files, including sensitive data such as database credentials and user information. Additionally, this could facilitate lateral movement to other systems or services accessible from the compromised server.

Reproduction

To reproduce this vulnerability, an authenticated user (specifically a teacher) must first upload a document containing shell metacharacters into a course. This can be done by importing a course backup that includes such a document. Once the document is uploaded, the user can move it to a directory with a name that includes shell metacharacters. The 'move_to' parameter, which is not properly sanitized, will be processed by the vulnerable 'move' function, leading to arbitrary command execution on the server.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been fixed.