CVE-2021-35413 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-35413?

CVE-2021-35413 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary code on Chamilo LMS servers by uploading a malicious .htaccess file through the course_intro_pdf_import.php script. It affects Chamilo LMS v1.11.x installations where users have course creation or editing privileges. Successful exploitation gives attackers full control of the affected server.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on Chamilo LMS servers by uploading a malicious .htaccess file through the course_intro_pdf_import.php script. It affects Chamilo LMS v1.11.x installations where users have course creation or editing privileges. Successful exploitation gives attackers full control of the affected server.

💻 Affected Systems

Products:

Chamilo LMS

Versions: v1.11.x (specifically v1.11.14 and earlier)

Operating Systems: All operating systems running Chamilo LMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with course creation/editing permissions. The vulnerable script is part of the standard installation.

📦 What is this software?

Chamilo Lms by Chamilo

View all CVEs affecting Chamilo Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, lateral movement within the network, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, defacement of learning materials, or use of server resources for cryptocurrency mining or botnet activities.

🟢

If Mitigated

Limited impact due to proper file upload restrictions, network segmentation, and minimal user privileges, potentially resulting in isolated file system access only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept demonstrates the attack vector clearly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.15 and later

Vendor Advisory: https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-66-2021-05-21-High-impact-very-low-risk-Authenticated-RCE-in-accessory-script

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Download the latest version from the official Chamilo repository. 3. Replace the vulnerable course_intro_pdf_import.php file with the patched version. 4. Verify file permissions are properly set. 5. Test the import functionality to ensure it works correctly.

🔧 Temporary Workarounds

Disable vulnerable script

linux

Remove or restrict access to the course_intro_pdf_import.php file to prevent exploitation

mv /path/to/chamilo/main/inc/lib/course_intro_pdf_import.php /path/to/chamilo/main/inc/lib/course_intro_pdf_import.php.disabled
chmod 000 /path/to/chamilo/main/inc/lib/course_intro_pdf_import.php.disabled

Restrict file uploads

all

Configure web server to block .htaccess file uploads through the import functionality

Add to .htaccess or web server config: <FilesMatch "\\.htaccess">
    Order Allow,Deny
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement strict access controls to limit which users can create or edit courses
Deploy web application firewall (WAF) rules to block malicious .htaccess file uploads

🔍 How to Verify

Check if Vulnerable:

Check if your Chamilo version is 1.11.14 or earlier by examining the main/inc/conf/configuration.php file or using the admin panel version check

Check Version:

grep "system_version" /path/to/chamilo/main/inc/conf/configuration.php

Verify Fix Applied:

Verify the file main/inc/lib/course_intro_pdf_import.php has been updated to version 1.11.15 or later by checking file modification dates or comparing with official repository

📡 Detection & Monitoring

Log Indicators:

Multiple failed .htaccess file upload attempts
Unusual file upload activity to course_intro_pdf_import.php
Suspicious POST requests with file uploads to the vulnerable endpoint

Network Indicators:

Unusual outbound connections from Chamilo server following file uploads
Traffic patterns indicating command and control communication

SIEM Query:

source="web_server_logs" AND (uri="/main/inc/lib/course_intro_pdf_import.php" AND method="POST" AND (file_extension=".htaccess" OR content_type="text/plain"))

📊 Metadata

CVE ID: CVE-2021-35413

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: December 3, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#authenticated-remote-code-execution-in-import-file Exploit,Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/2e5c004b57d551678a1815500ef91524ba7bb757 Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/905a21037ebc9bc5369f0fb380177cb56f496f5c Patch,Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-66-2021-05-21-High-impact-very-low-risk-Authenticated-RCE-in-accessory-script Patch,Vendor Advisory
https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#authenticated-remote-code-execution-in-import-file Exploit,Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/2e5c004b57d551678a1815500ef91524ba7bb757 Patch,Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/905a21037ebc9bc5369f0fb380177cb56f496f5c Patch,Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-66-2021-05-21-High-impact-very-low-risk-Authenticated-RCE-in-accessory-script Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35413, you might also want to check these: