Introduction:
On April 22, 2020, I wanted to find a CVE for myself and after some searching, I chose Chamilo LMS. This is the second vulnerability I found in Chamilo LMS 1.11.10. I had high hopes for this vulnerability to be given a high score, but the outcome was that Chamilo didn’t know how to assign a CVE to me, so sad :3
I typically write my blogs with a cheerful and playful style, but today I’ll attempt to write like a thoughtful young man. It’s enough to ramble like a madman, let’s exploit.
Environment:
Version tested: Chamilo LMS 1.11.10 for PHP 7.3.
Web server: Apache webserver-Apache/2.4.41 (Debian).
Issue: Allow users with Sessions administrator privileges the ability to create new users with administrator rights.
PoC:
Step 1: Log in with the ‘abcd’ account, endowed with Sessions administrator rights.
Step 2: Create a new user named ‘654’.
Step 3: Click on button to edit ‘654’.
Step 4: Launch Burp Suite and click “Save.” Then, proceed to modify the request body as follows:
Step 5: Log in to the ‘654’ account. BOOM!! Now, ‘654’ is an administrator.
Okay, done!
At the end of the blog, I want to express my gratitude to my new friend, Hoang Kien. He has helped me a lot during the exploitation of this vulnerability.