Chamilo LMS Unrestricted File Upload Vulnerability in Exercise Sound Upload Function Allowing Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue arises in the exercise sound upload function, where an authenticated teacher can upload a PHP web shell by spoofing the Content-Type header to audio/mpeg. The uploaded file, retaining its .php extension, is placed in a web-accessible directory, enabling remote code execution as the web server user (www-data).

Impact

Exploitation of this vulnerability allows for remote code execution on the server, executed as the web server user (www-data). The vulnerability also enables reading of sensitive files such as /etc/passwd, .env (which may contain database credentials), and /etc/shadow' (if readable). This could lead to a full server compromise with persistent web shell access, and potential lateral movement via exposed database credentials.

Reproduction

To reproduce this vulnerability, an authenticated teacher can upload a file through the exercise sound upload feature. The upload should be made by spoofing the Content-Type header to 'audio/mpeg'. The file uploaded must have a .php extension, as the vulnerability relies on executing a PHP web shell once the file is uploaded.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3 to address this vulnerability.