CVE-2021-31933
📋 TL;DR
This vulnerability allows remote authenticated administrators in Chamilo LMS to upload malicious PHP files through directory traversal, leading to remote code execution. Attackers can execute arbitrary code on the server by uploading files with specific extensions like .phar or .pht. Only systems running vulnerable versions of Chamilo with administrator accounts are affected.
💻 Affected Systems
- Chamilo LMS
📦 What is this software?
Chamilo by Chamilo
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized PHP code execution leading to data theft, defacement, or backdoor installation.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and least privilege access controls.
🎯 Exploit Status
Exploit requires administrator credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.11.14
Vendor Advisory: https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-48-2021-04-17-Critical-impact-high-risk-Remote-Code-Execution
Restart Required: No
Instructions:
1. Update to Chamilo LMS version 1.11.15 or later. 2. Apply commits 229302139e8d23bf6862183cf219b967f6e2fbc1 and f65d065061a77bb2e84f73217079ce3998cf3453 if manually patching. 3. Verify file upload functionality works correctly after patching.
🔧 Temporary Workarounds
Restrict File Upload Extensions
allConfigure web server to block .phar, .pht, and other PHP-related file extensions from being uploaded or executed.
# For Apache: Add to .htaccess
<FilesMatch "\.(phar|pht|php|php3|php4|php5|php7|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~ \.(phar|pht|php|php3|php4|php5|php7|phtml)$ {
deny all;
}
Directory Restriction
linuxImplement strict directory permissions to prevent unauthorized file uploads to sensitive locations.
chmod 755 /path/to/chamilo/upload/directories
chown www-data:www-data /path/to/chamilo/upload/directories
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts with multi-factor authentication.
- Deploy a web application firewall (WAF) with rules to block malicious file uploads and directory traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Check Chamilo version in admin panel or by examining source files. Versions 1.11.14 and earlier are vulnerable.Check Version:
grep -r "version.*1\.11\." /path/to/chamilo/ || cat /path/to/chamilo/main/inc/conf/configuration.phpVerify Fix Applied:
Verify version is 1.11.15 or later. Test file upload functionality with restricted extensions to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- File upload attempts with .phar, .pht extensions in web server logs
- Unusual POST requests to file upload endpoints from administrator accounts
- Directory traversal patterns in file upload requests
Network Indicators:
- HTTP POST requests to upload scripts with suspicious filenames
- Traffic spikes to file upload endpoints
SIEM Query:
source="web_logs" (url="*upload*" AND (filename="*.phar" OR filename="*.pht"))🔗 References
- http://packetstormsecurity.com/files/162572/Chamilo-LMS-1.11.14-Remote-Code-Execution.html
- https://github.com/chamilo/chamilo-lms/commit/229302139e8d23bf6862183cf219b967f6e2fbc1
- https://github.com/chamilo/chamilo-lms/commit/f65d065061a77bb2e84f73217079ce3998cf3453
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-48-2021-04-17-Critical-impact-high-risk-Remote-Code-Execution
- http://packetstormsecurity.com/files/162572/Chamilo-LMS-1.11.14-Remote-Code-Execution.html
- https://github.com/chamilo/chamilo-lms/commit/229302139e8d23bf6862183cf219b967f6e2fbc1
- https://github.com/chamilo/chamilo-lms/commit/f65d065061a77bb2e84f73217079ce3998cf3453
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-48-2021-04-17-Critical-impact-high-risk-Remote-Code-Execution
