Chamilo LMS OS Command Injection Vulnerability in Gradebook AJAX Endpoint

A command injection vulnerability has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. The issue resides in the gradebook AJAX endpoint, specifically within the export_all_certificates action. The vulnerability allows authenticated users to execute arbitrary commands on the server by injecting shell metacharacters into the course code variable, which is then passed to a shell_exec() command without proper sanitization. Exploitation of this vulnerability could lead to unauthorized access to system files, application data, and disruption of server availability.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server with the same privileges as the web server user. This could result in unauthorized access to sensitive files and credentials, modification of application and database content, or disruption of server operations.

Reproduction

To reproduce this vulnerability, an authenticated user must manipulate their session data to inject shell metacharacters into the '_cid' variable. This can be done by exploiting a session fixation or session hijacking vulnerability, if available, or by using a tool that allows for session data manipulation. Once the '_cid' variable is poisoned with malicious payloads, the user can trigger the 'export_all_certificates' action, which will execute the injected commands on the server.

Remediation

Users are advised to update to Chamilo LMS version 2.0.0-RC.3 or later, and to apply the patch available in commit 62671e5.