Introduction:

On April 22, 2020, I wanted to find a CVE for myself and after some searching, I chose Chamilo LMS. This is the second vulnerability I found in Chamilo LMS 1.11.10. I had high hopes for this vulnerability to be given a high score, but the outcome was that Chamilo didn’t know how to assign a CVE to me, so sad :3

I typically write my blogs with a cheerful and playful style, but today I’ll attempt to write like a thoughtful young man. It’s enough to ramble like a madman, let’s exploit.

Environment:

Version tested: Chamilo LMS 1.11.10 for PHP 7.3.

Web server: Apache webserver-Apache/2.4.41 (Debian).

Issue: Allow users with Sessions administrator privileges the ability to create new users with administrator rights.

PoC:

Step 1: Log in with the ‘abcd’ account, endowed with Sessions administrator rights.

Step 2: Create a new user named ‘654’.

Step 3: Click on button to edit ‘654’.

Step 4: Launch Burp Suite and click “Save.” Then, proceed to modify the request body as follows:

Step 5: Log in to the ‘654’ account. BOOM!! Now, ‘654’ is an administrator.

Okay, done!

At the end of the blog, I want to express my gratitude to my new friend, Hoang Kien. He has helped me a lot during the exploitation of this vulnerability.

Related Blog

October 6, 2023 Security for Newbie

Improper permission management leads to privilege escalation in Chamilo LMS

Related Blog

Investigate the cause of a cyber attack through log files

[Shodan] – Search engines serve security, or the evil eye?

Cyber security & frequently asked questions