Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) #19629

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Nov 11, 2024

Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24 a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter action is set to post-unsupported file extension checks are skipped allowing for attacker controlled .php files to be uploaded to: /main/inc/lib/javascript/bigupload/files/ if the /files/ directory already exists - it does not exist by default.

Setup

A vulnerable docker-compose configuration can be found at the following link: vulhub/vulhub#559

  1. Clone the repo git clone https://github.com/vulhub/vulhub.git
  2. Checkout the pull request mentioned above: git checkout CVE-2023-4220
  3. Run cd vulhub/chamilo/CVE-2023-4220
  4. Start the environment: docker compose up
  5. Navigate to http://127.0.0.1:8080 to complete the installation wizard.
  6. Note when filling out the database IP address and credentials - the DB hostname is the name of the container which is
    mariadb (not localhost or 127.0.0.1).
  7. Once the installation wizard is complete the target should be ready to be
    exploited with the module. This container has the non-default /files/ directory created already.

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do: use linux/http/chamilo_bigupload_webshell
  3. Set the RHOST, RPORT, and LHOST options
  4. Run the module
  5. Receive a Meterpreter session as the www-data user.

@adfoster-r7 adfoster-r7 self-assigned this Nov 11, 2024
@jheysel-r7 jheysel-r7 changed the title CVE-2023:4220: Chamilo v1.11.24 Unrestricted File Upload Chamilo v1.11.24 Unrestricted File Upload (CVE-2023:4220) Nov 11, 2024
@jheysel-r7 jheysel-r7 changed the title Chamilo v1.11.24 Unrestricted File Upload (CVE-2023:4220) Chamilo v1.11.24 Unrestricted File Upload (CVE-2023-4220) Nov 12, 2024
@jheysel-r7 jheysel-r7 linked an issue Nov 12, 2024 that may be closed by this pull request
@adfoster-r7 adfoster-r7 removed their assignment Nov 12, 2024
@jheysel-r7 jheysel-r7 added the rn-modules release notes for new or majorly enhanced modules label Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
3 participants