Chamilo LMS Unauthenticated Twig Template Access Vulnerability Allowing Information Disclosure

A vulnerability in Chamilo LMS prior to version 1.11.38 allows unauthenticated access to Twig template files (.tpl) located in the default template directory. This access is granted through HTTP GET requests, bypassing authentication. The exposed templates reveal internal application logic, variable names, AJAX endpoint URLs, and the structure of the admin panel. The vulnerability arises because the Apache configuration does not restrict access to these template files, which are not meant to be served directly over the web.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive application information, including internal logic, admin panel AJAX endpoints, and variable names, which could facilitate further attacks.

Remediation

Users can update to Chamilo LMS version 1.11.38 or later to address this vulnerability. For those using Apache, ensure that the server configuration blocks direct access to .tpl files. If the default .htaccess file is not effective, manually add directives to deny access to these files. Nginx users should implement similar rules to deny access to .tpl files.