CVE-2023-3545 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2023-3545?

1. Backup your Chamilo installation and database. 2. Download the latest version from https://github.com/chamilo/chamilo-lms. 3. Replace the vulnerable file main/inc/lib/fileUpload.lib.php with the patched version. 4. Verify the fix by checking the file contains proper .htaccess validation.

Q: What is the severity of CVE-2023-3545?

CVE-2023-3545 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to bypass file upload security in Chamilo LMS on Windows/Apache systems by uploading a malicious .htaccess file. Attackers can achieve remote code execution, potentially taking full control of affected systems. All Chamilo LMS installations up to version 1.11.20 running on Windows with Apache are vulnerable.

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass file upload security in Chamilo LMS on Windows/Apache systems by uploading a malicious .htaccess file. Attackers can achieve remote code execution, potentially taking full control of affected systems. All Chamilo LMS installations up to version 1.11.20 running on Windows with Apache are vulnerable.

💻 Affected Systems

Products:

Chamilo LMS

Versions: <= v1.11.20

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations running Apache web server. Linux systems are not vulnerable to this specific bypass.

📦 What is this software?

Chamilo by Chamilo

View all CVEs affecting Chamilo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, steal data, pivot to other systems, or disrupt operations.

🟠

Likely Case

Unauthenticated attackers achieve remote code execution, leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟢

If Mitigated

Attackers may still upload malicious files but cannot execute them due to proper file permission restrictions and web server hardening.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows attackers to directly target exposed systems without any credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires access to the vulnerable application.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward and can be chained with CVE-2023-3533 for easier file upload. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.21 and later

Vendor Advisory: https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Download the latest version from https://github.com/chamilo/chamilo-lms. 3. Replace the vulnerable file main/inc/lib/fileUpload.lib.php with the patched version. 4. Verify the fix by checking the file contains proper .htaccess validation.

🔧 Temporary Workarounds

Restrict .htaccess file uploads

all

Block uploads of .htaccess files at the web server or application level

# Apache configuration: Add to .htaccess or httpd.conf
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>
# Application-level: Add to file upload validation
if (preg_match('/^\.ht/', $filename)) {
    reject_upload();
}

Disable file upload functionality

all

Temporarily disable file uploads in Chamilo LMS if not essential

# Edit Chamilo configuration to disable uploads
# Set upload_max_filesize = 0 in php.ini
# Or disable upload features in Chamilo admin panel

🧯 If You Can't Patch

Implement strict file upload validation that rejects any file starting with .ht
Configure web server to deny execution of uploaded files in the upload directory

🔍 How to Verify

Check if Vulnerable:

Check if Chamilo version is <= 1.11.20 and running on Windows/Apache. Examine main/inc/lib/fileUpload.lib.php for proper .htaccess file validation.

Check Version:

Check Chamilo version in app/cache/version.php or via admin panel

Verify Fix Applied:

Verify the patched fileUpload.lib.php properly validates and rejects .htaccess file uploads. Test uploading a .htaccess file should be blocked.

📡 Detection & Monitoring

Log Indicators:

Multiple failed .htaccess file upload attempts
Successful .htaccess file uploads in upload directory
Unusual PHP file execution from upload directories

Network Indicators:

HTTP POST requests to file upload endpoints with .htaccess files
Subsequent requests to uploaded malicious files

SIEM Query:

source="apache_access" AND (uri="/main/inc/lib/fileUpload.lib.php" OR uri="/main/upload/" OR filename="*.htaccess")

📊 Metadata

CVE ID: CVE-2023-3545

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-178

Published: November 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/chamilo/chamilo-lms/commit/dc7bfce429fbd843a95a57c184b6992c4d709549 Patch
https://starlabs.sg/advisories/23/23-3545/ Exploit,Third Party Advisory
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545 Issue Tracking,Vendor Advisory
https://github.com/chamilo/chamilo-lms/commit/dc7bfce429fbd843a95a57c184b6992c4d709549 Patch
https://starlabs.sg/advisories/23/23-3545/ Exploit,Third Party Advisory
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-125-2023-07-13-Critical-impact-Moderate-risk-Htaccess-File-Upload-Security-Bypass-on-Windows-CVE-2023-3545 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3545, you might also want to check these: