Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.
The vulnerability results from improper sanitization of file names in the `main/inc/lib/fileUpload.lib.php` module. An attacker can upload a file named `.htaccess`, which the filtering mechanism does not properly reject on Windows platform with Apache server. The placed `.htaccess` file allows modifying the server configuration in a given directory, which enables execution of malicious code on the server side. The vulnerability can also be used as part of an attack chain in combination with CVE-2023-3533 (unauthorized arbitrary file write) to obtain full RCE.
An attacker can obtain remote code execution (RCE) on the server, leading to full takeover of the application and potentially the entire system, including violation of confidentiality, integrity and availability of data.
Chamilo LMS should be updated to a version containing the fix available in commit dc7bfce429fbd843a95a57c184b6992c4d709549. Detailed information about the patch is available in the vendor's references and in the project's GitHub repository.
Chamilo LMS in versions up to and including 1.11.20, running on Windows environments with Apache server
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChamilo
APPChamilo≤ 1.11.20
Related vulnerabilities
Command injection w Chamilo LMS umożliwiający RCE bez uwierzytelnienia
Path Traversal i RCE w Chamilo LMS — nieuwierzytelniony zapis pliku
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attac...
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or ...
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated ...