Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) #19629
+208
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24 a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter
action
is set topost-unsupported
file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:/main/inc/lib/javascript/bigupload/files/
if the/files/
directory already exists - it does not exist by default.Setup
A vulnerable docker-compose configuration can be found at the following link: vulhub/vulhub#559
git clone https://github.com/vulhub/vulhub.git
git checkout CVE-2023-4220
cd vulhub/chamilo/CVE-2023-4220
docker compose up
http://127.0.0.1:8080
to complete the installation wizard.mariadb
(notlocalhost
or127.0.0.1
).exploited with the module. This container has the non-default
/files/
directory created already.Verification
List the steps needed to make sure this thing works
use linux/http/chamilo_bigupload_webshell
RHOST
,RPORT
, andLHOST
optionswww-data
user.