CVE-2026-33704 Overview
CVE-2026-33704 is an arbitrary file write vulnerability in Chamilo LMS, an open-source learning management system, that can lead to Remote Code Execution (RCE). The vulnerability exists in versions prior to 1.11.38 and allows any authenticated user, including those with low-privilege student accounts, to write arbitrary content to files on the server via the BigUpload endpoint. By exploiting incomplete file extension filtering, attackers can upload malicious PHP files with the .pht extension, which on many Apache configurations is executed as PHP code.
Critical Impact
Authenticated users with minimal privileges can achieve full Remote Code Execution on vulnerable Chamilo LMS servers, potentially compromising the entire learning management platform and underlying infrastructure.
Affected Products
- Chamilo LMS versions prior to 1.11.38
- Chamilo LMS installations running on Apache with .pht PHP handler configuration
- Any deployment using the BigUpload functionality
Discovery Timeline
- 2026-04-10 - CVE-2026-33704 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33704
Vulnerability Analysis
This vulnerability stems from insufficient file extension validation in the BigUpload endpoint of Chamilo LMS. The endpoint allows authenticated users to upload files where the key parameter controls the filename and the raw POST body becomes the file content. While the application attempts to filter dangerous file extensions by converting .php to .phps, the filtering mechanism fails to account for the .pht extension—an alternative PHP file extension that Apache can be configured to execute as PHP code.
The vulnerability is particularly dangerous because it requires only basic authentication to exploit. Even users with student-level privileges can leverage this flaw to write arbitrary content to the server filesystem. On Apache web servers where .pht files are configured to be handled by the PHP interpreter, this effectively grants the attacker full Remote Code Execution capabilities.
Root Cause
The root cause is an incomplete regular expression pattern in the php2phps() function within main/inc/lib/fileUpload.lib.php. The original regex pattern attempted to neutralize dangerous PHP-related extensions but omitted the .pht extension family from its filter list. This oversight allowed attackers to bypass the security control by using .pht instead of .php for their malicious payloads.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker would:
- Authenticate to the Chamilo LMS platform with any valid user account (including student accounts)
- Send a crafted request to the BigUpload endpoint with a malicious filename containing the .pht extension in the key parameter
- Include PHP code in the raw POST body of the request
- Access the uploaded file via web browser to trigger code execution
The following patch shows the security fix applied in the php2phps() function:
*/
function php2phps($file_name)
{
- return preg_replace('/\.(phar.?|php.?|phtml.?)(\\.){0,1}.*$/i', '.phps', $file_name);
+ return preg_replace('/\.(phar.?|php.?|pht.?|phtml.?)(\\.){0,1}.*$/i', '.phps', $file_name);
}
/**
Source: GitHub Commit Update
Detection Methods for CVE-2026-33704
Indicators of Compromise
- Presence of .pht files in the Chamilo upload directories (typically app/upload/ or related paths)
- Unexpected files with PHP code content in upload folders
- Web server access logs showing requests to .pht files
- Anomalous POST requests to the BigUpload endpoint with suspicious key parameter values
Detection Strategies
- Monitor file creation events for .pht, .pht3, .pht4, .pht5, and similar extensions in web-accessible directories
- Implement web application firewall (WAF) rules to block requests containing .pht extensions to upload endpoints
- Audit authentication logs for unusual upload activity from low-privilege accounts
- Deploy file integrity monitoring on Chamilo upload directories
Monitoring Recommendations
- Enable verbose logging for the BigUpload endpoint and review for anomalous patterns
- Set up alerts for new file creations with PHP-executable extensions in upload directories
- Monitor process execution originating from the web server for signs of webshell activity
- Implement regular automated scans of upload directories for unexpected executable files
How to Mitigate CVE-2026-33704
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.38 or later immediately
- Audit existing upload directories for any .pht files and remove unauthorized files
- Review Apache configuration to disable PHP execution for .pht files if not required
- Temporarily restrict access to the BigUpload endpoint if patching is delayed
Patch Information
The vulnerability is fixed in Chamilo LMS version 1.11.38. The patch updates the php2phps() function in main/inc/lib/fileUpload.lib.php to include .pht and its variants in the filtered extension list. Organizations should apply this update through their standard Chamilo upgrade process.
For detailed patch information, see the GitHub Security Advisory and the security commit.
Workarounds
- Configure Apache to not execute .pht files as PHP by removing or commenting out the relevant handler directives
- Implement a web application firewall rule to block uploads containing .pht extensions
- Apply filesystem-level restrictions to prevent creation of .pht files in upload directories
- Consider using a reverse proxy to filter requests targeting the BigUpload endpoint
# Apache configuration to disable PHP execution for .pht files
# Add to .htaccess or Apache configuration
<FilesMatch "\.pht[0-9]?$">
SetHandler text/plain
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
