CVE-2023-4223 – This vulnerability allows authenticated users w... (How to Fix)

Q: How do I fix CVE-2023-4223?

1. Backup your Chamilo installation and database. 2. Download the latest version from the official Chamilo website. 3. Replace the affected files with patched versions from the GitHub commits. 4. Verify the patch by checking that file uploads properly validate file types.

Q: What is the severity of CVE-2023-4223?

CVE-2023-4223 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with learner roles in Chamilo LMS to upload arbitrary PHP files through the document upload functionality. Successful exploitation leads to remote code execution on the server. All Chamilo LMS installations running version 1.11.24 or earlier are affected.

📋 TL;DR

This vulnerability allows authenticated users with learner roles in Chamilo LMS to upload arbitrary PHP files through the document upload functionality. Successful exploitation leads to remote code execution on the server. All Chamilo LMS installations running version 1.11.24 or earlier are affected.

💻 Affected Systems

Products:

Chamilo LMS

Versions: <= v1.11.24

Operating Systems: All operating systems running Chamilo LMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with learner role or higher. The vulnerability exists in the default installation without any special configuration.

📦 What is this software?

Chamilo Lms by Chamilo

View all CVEs affecting Chamilo Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, access sensitive data, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Attackers upload web shells to gain control over the Chamilo application server, potentially accessing user data, modifying content, or using the server for further attacks.

🟢

If Mitigated

If proper file upload validation and web application firewalls are in place, exploitation attempts would be blocked, limiting impact to failed upload attempts.

🌐 Internet-Facing: HIGH - Internet-facing Chamilo instances are directly accessible to attackers who can create learner accounts or compromise existing ones.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or attackers who gain internal network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has valid credentials. Public exploit details are available in the advisory links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.25 and later

Vendor Advisory: https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Download the latest version from the official Chamilo website. 3. Replace the affected files with patched versions from the GitHub commits. 4. Verify the patch by checking that file uploads properly validate file types.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block uploads of PHP files to the vulnerable endpoint

Add WAF rule to block requests to /main/inc/ajax/document.ajax.php with PHP file extensions in upload data

File Extension Restriction

linux

Configure web server to block execution of uploaded PHP files

Add to .htaccess (Apache): <FilesMatch "\.php$"> Deny from all </FilesMatch>
Add to nginx config: location ~ \.php$ { deny all; }

🧯 If You Can't Patch

Disable the document upload functionality for learner roles in Chamilo configuration
Implement strict file upload validation at the application level to reject PHP and other executable file types

🔍 How to Verify

Check if Vulnerable:

Check if your Chamilo version is <= 1.11.24 and examine if /main/inc/ajax/document.ajax.php exists without proper file type validation.

Check Version:

Check Chamilo configuration file or admin panel for version information, or examine the main/inc/conf/configuration.php file

Verify Fix Applied:

Attempt to upload a PHP file as a learner user - it should be rejected with proper error messages. Verify version is >= 1.11.25.

📡 Detection & Monitoring

Log Indicators:

Multiple failed upload attempts with PHP extensions
Successful uploads of PHP files to document directories
Unusual file upload activity from learner accounts

Network Indicators:

POST requests to /main/inc/ajax/document.ajax.php with PHP file content
Subsequent requests to uploaded PHP files in document directories

SIEM Query:

source="web_server" AND (url="/main/inc/ajax/document.ajax.php" AND method="POST" AND (file_extension="php" OR content_type LIKE "%php%"))

📊 Metadata

CVE ID: CVE-2023-4223

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: November 28, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4223, you might also want to check these: