Chamilo LMS Remote Code Execution Vulnerability in Platform Configuration Controller

A remote code execution vulnerability exists in Chamilo LMS versions greater than 1.11.* and up to 2.0-RC.2. The issue arises in the PlatformConfigurationController::decodeSettingArray() method, which improperly uses PHP's eval() function to process platform settings from the database. An attacker with admin access can inject arbitrary PHP code into the settings. This injected code is executed when any user, including unauthenticated users, accesses the /platform-config/list route, which does not require authentication. The vulnerability allows for full server compromise, as the executed code runs with the same privileges as the web server user.

Impact

Exploitation of this vulnerability allows for full remote code execution on the server, with the executed code running as the www-data user. This access enables an attacker to execute arbitrary system commands, read server files (including the .env file containing database credentials), establish reverse shells, and fully compromise the server. When combined with another advisory allowing admin access, any registered student could achieve this level of compromise.

Remediation

Users can upgrade to Chamilo LMS version 2.0.0-RC.3 to address this vulnerability.