CVE-2023-3533 Overview
CVE-2023-3533 is a critical path traversal vulnerability in Chamilo LMS versions 1.11.20 and earlier. The flaw exists in the file upload functionality within /main/webservices/additional_webservices.php, which fails to properly validate user-supplied file paths. This allows unauthenticated attackers to write arbitrary files to the server, enabling stored cross-site scripting (XSS) attacks and ultimately achieving remote code execution (RCE).
Critical Impact
Unauthenticated attackers can exploit this path traversal vulnerability to achieve arbitrary file write, leading to stored XSS and remote code execution on vulnerable Chamilo LMS installations.
Affected Products
- Chamilo LMS versions <= 1.11.20
- All Chamilo LMS installations running the vulnerable /main/webservices/additional_webservices.php endpoint
- Deployments with accessible webservices functionality
Discovery Timeline
- 2023-07-13 - Vulnerability classified as Critical impact, High risk by Chamilo (Issue-124)
- 2023-11-28 - CVE-2023-3533 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-3533
Vulnerability Analysis
This vulnerability stems from insufficient input validation in the file upload processing code within additional_webservices.php. The affected endpoint processes file names provided by users without adequately checking for path traversal sequences (such as ..). This allows attackers to craft malicious requests that write files outside the intended upload directory, potentially overwriting critical system files or placing executable scripts in web-accessible locations.
The vulnerability is particularly dangerous because it can be exploited without authentication. An attacker can leverage this flaw to upload a PHP webshell or other malicious payload, subsequently achieving complete remote code execution on the target server. The combination of unauthenticated access and arbitrary file write capabilities makes this a high-priority vulnerability for organizations running Chamilo LMS.
Root Cause
The root cause of CVE-2023-3533 is the lack of path traversal validation in the file name handling logic. Prior to the patch, the code did not check for relative path sequences (..) in the file_name parameter, allowing attackers to traverse directory structures and write files to arbitrary locations on the filesystem.
Additionally, the sanitizeExecParam() function was not properly escaping shell arguments, which could compound the risk when file names were passed to shell commands like ppt2png. The function only filtered certain characters but did not use escapeshellarg() for proper sanitization.
Attack Vector
The attack exploits the network-accessible webservices endpoint without requiring authentication. An attacker sends a crafted HTTP request to /main/webservices/additional_webservices.php containing a file_name parameter with path traversal sequences (e.g., ../../malicious.php). The server processes this request and writes the uploaded file content to the attacker-controlled path, enabling:
- Stored XSS - By uploading malicious HTML/JavaScript files to web-accessible directories
- Remote Code Execution - By uploading PHP webshells or other executable scripts
- Configuration Tampering - By overwriting .htaccess or other configuration files
The following patch shows how Chamilo addressed the path traversal vulnerability:
}
$fileData = $pptData['file_data'];
// Clean filename to avoid hacks. Prevents "&" and ";" to be used in filename, notably
- $sanitizedFileName = Security::sanitizeExecParam($pptData['file_name']);
+
+ if (strpos($pptData['file_name'], '..') !== false) {
+ return false;
+ }
+
+ $sanitizedFileName = $pptData['file_name'];
$dataInfo = pathinfo($sanitizedFileName);
$fileName = basename($sanitizedFileName, '.'.$dataInfo['extension']);
// Add additional cleaning of .php and .htaccess files
$fullFileName = Security::filter_filename($sanitizedFileName);
- $size = Security::sanitizeExecParam($pptData['service_ppt2lp_size']);
+ $size = $pptData['service_ppt2lp_size'];
$w = '800';
$h = '600';
if (!empty($size)) {
list($w, $h) = explode('x', $size);
}
+ $w = (int) $w;
+ $h = (int) $h;
+
$tempArchivePath = api_get_path(SYS_ARCHIVE_PATH);
$tempPath = $tempArchivePath.'wsConvert/'.$fileName.'/';
$tempPathNewFiles = $tempArchivePath.'wsConvert/'.$fileName.'-n/';
Source: GitHub Commit 37be9ce
Additionally, the shell argument sanitization was improved:
*/
public static function sanitizeExecParam(string $param): string
{
- return preg_replace('/[`;&|]/', '', $param);
+ $param = preg_replace('/[`;&|]/', '', $param);
+
+ return escapeshellarg($param);
}
private static function generateSecTokenVariable(string $prefix = ''): string
Source: GitHub Commit 37be9ce
Detection Methods for CVE-2023-3533
Indicators of Compromise
- Unexpected files appearing in web-accessible directories, particularly PHP files outside normal upload locations
- HTTP requests to /main/webservices/additional_webservices.php containing .. sequences in parameters
- New or modified .htaccess files in non-standard locations
- Web server logs showing unusual POST requests to the vulnerable endpoint with encoded path traversal characters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences (../, ..%2f, %2e%2e/) in HTTP requests
- Monitor file system integrity for unexpected file creations or modifications in web-accessible directories
- Review web server access logs for requests targeting /main/webservices/additional_webservices.php with suspicious parameters
- Deploy endpoint detection and response (EDR) solutions to detect web shell activity or unauthorized PHP execution
Monitoring Recommendations
- Enable detailed logging for the Chamilo LMS application, particularly for webservices endpoints
- Configure file integrity monitoring (FIM) on web application directories to alert on unauthorized file changes
- Implement anomaly detection for unusual file upload patterns or requests from unfamiliar IP addresses
- Use SentinelOne Singularity to monitor for post-exploitation behaviors such as web shell execution and lateral movement
How to Mitigate CVE-2023-3533
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.22 or later, which contains the security fix
- If immediate patching is not possible, restrict access to /main/webservices/additional_webservices.php at the web server level
- Audit the file system for any unauthorized files that may have been uploaded through exploitation
- Review web server logs for indicators of exploitation attempts
Patch Information
Chamilo has released a security patch addressing this vulnerability in commit 37be9ce7243a30259047dd4517c48ff8b21d657a. The fix implements explicit path traversal detection by checking for .. sequences in file names and rejecting requests that contain them. Additionally, the patch improves shell command argument sanitization using escapeshellarg() and enforces integer type casting for dimension parameters.
Organizations should apply this patch by upgrading to Chamilo LMS version 1.11.22 or later. Detailed information about the security issue is available in the Chamilo Security Issues wiki and the StarLabs Security Advisory.
Workarounds
- Block access to the vulnerable endpoint /main/webservices/additional_webservices.php using web server configuration or firewall rules
- Implement web application firewall rules to filter requests containing path traversal patterns targeting Chamilo endpoints
- Disable the webservices functionality entirely if not required for your deployment
- Apply strict file system permissions to prevent the web server user from writing to sensitive directories
# Apache configuration to block access to vulnerable endpoint
<Location "/main/webservices/additional_webservices.php">
Require all denied
</Location>
# Nginx configuration to block access
location /main/webservices/additional_webservices.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
