Chamilo LMS Arbitrary File Write Vulnerability via BigUpload Endpoint Allowing Remote Code Execution

A vulnerability in Chamilo LMS prior to version 1.11.38 allows authenticated users, including students, to write arbitrary content to files on the server through the BigUpload endpoint. The vulnerability arises because the key parameter can be manipulated to control the filename, while the raw POST body is used as the file content. Although files with a .php extension are renamed to .phps, those with a .pht extension are not modified. On Apache servers that execute .pht files as PHP, this could lead to remote code execution. The issue has been addressed in version 1.11.38.

Impact

This vulnerability allows authenticated users to write arbitrary files on the server. The .pht extension bypasses the filename filter, and on Apache servers with .pht files handled as PHP, this could result in remote code execution. Even without executing PHP, the arbitrary file write could be exploited to fill up disk space or to place malicious content on the server.

Remediation

Users can upgrade to Chamilo LMS version 1.11.38 to address this vulnerability.