kx00007/CVE-2026-35196
GitHub: kx00007/CVE-2026-35196
Stars: 0 | Forks: 0
# `CVE-2026-35196` · Chamilo LMS · OS Command Injection → RCE
     
## 📋 Vulnerability Summary | Field | Details | |--------------------|---------------------------------------------------------------| | **Product** | Chamilo LMS | | **Affected Version** | < 2.0 (Confirmed on v1.11.32) | | **Vulnerability** | OS Command Injection | | **CWE** | [CWE-78](https://cwe.mitre.org/data/definitions/78.html) — Improper Neutralization of Special Elements used in an OS Command | | **CVSSv3.1 Score** | **8.8 (HIGH)** | | **Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` | | **Auth Required** | Yes (any authenticated user with a poisoned session) | | **Exploit Type** | Authenticated Remote Code Execution | | **Vulnerable File** | `main/inc/ajax/gradebook.ajax.php` | ## 🔍 Description A critical **OS Command Injection** vulnerability exists in the `export_all_certificates` action of `main/inc/ajax/gradebook.ajax.php` within Chamilo LMS v1.11.32. An attacker who can manipulate or poison their session's `_cid` variable (via session poisoning, IDOR chaining, or other session manipulation primitives) can inject arbitrary shell metacharacters and achieve **full remote code execution** as the web server user (`www-data`). ## 🧩 Root Cause Analysis **Vulnerable File:** `main/inc/ajax/gradebook.ajax.php` **Vulnerable Function:** `export_all_certificates` When a user triggers the `export_all_certificates` action, the script attempts to run a background process for processing certificates: $courseCode = api_get_course_id(); // Retrieves the value from $_SESSION['_cid'] $sessionId = api_get_session_id(); // ... $commandScript = api_get_path(SYS_CODE_PATH).'gradebook/cli/export_all_certificates.php'; $userList = implode(',', $userList); // Flaw: Variables like $courseCode are passed directly to the shell without escapeshellarg() shell_exec("php $commandScript $courseCode $sessionId $categoryId $userList > /dev/null &"); Because the application implicitly trusts the contents of the session variables and fails to properly escape them before sending them to the system shell, an attacker with a manipulated session can append and execute malicious commands. For example, if `_cid` contains `"; touch /tmp/remote_code_by_k; #"`, the command interpreted by the bash/sh shell becomes: php /var/www/chamilo/main/gradebook/cli/export_all_certificates.php ; touch /tmp/remote_code_by_k; # ... > /dev/null & The shell executes the CLI script, followed by the injected payload, and ignores the rest of the intended command string. ## 💣 Proof of Concept 1. **Session Poisoning:** The attacker must first influence the `$_SESSION['_cid']` variable. This can be achieved by chaining this flaw with a session poisoning vulnerability or by manipulating the course code value through an IDOR or insecure parameter handling elsewhere in the application to update their session context. 2. **Payload Injection:** Set the `_cid` session variable to: `"; [MALICIOUS_COMMAND]; #"` 3. **Execution:** Send a `GET` request to: `/main/inc/ajax/gradebook.ajax.php?a=export_all_certificates&cat_id=1` with the poisoned session cookie. 4. **Result:** The server blindly executes the injected command with the privileges of the web application user (`www-data`). ## 📊 Impact Analysis | Dimension | Impact | |--------------------|--------------------------------------------------------------------| | **Confidentiality** | Full read access — source code, configs, DB credentials, `/etc/passwd` | | **Integrity** | Arbitrary file write, webshell deployment, database manipulation | | **Availability** | Service disruption, filesystem destruction, ransomware deployment | | **Scope** | Web server process (`www-data`); lateral movement potential via credential exposure | ## 🛡️ Recommendations - **Apply `escapeshellarg()`:** Wrap all user-derived variables (like `$courseCode`, `$sessionId`, and `$userList`) with PHP's `escapeshellarg()` before passing them to `shell_exec()` to neutralize arbitrary OS metacharacters. - **Strict Session Validation:** Ensure variables stored in the session state (e.g., `$_SESSION['_cid']`) are rigidly typed and sanitized so that potential "Session Poisoning" or IDOR chaining attacks are blocked at the entry point. - **Enforce Least Privilege:** Configure the web server service ( `www-data`) with restrictive filesystem write permissions and limit application access to essential Linux shell binaries to mitigate post-exploitation capabilities. ## 🧪 Environment | Component | Details | |---------------|--------------------------| | **OS** | Ubuntu Server (Docker) | | **Web Server**| Apache / Nginx | | **PHP** | 7.x / 8.x | | **App** | Chamilo LMS v1.11.32-v2.0 | | **Shell** | `/bin/sh` → bash | ## 📎 References - [Chamilo LMS Official Repository](https://github.com/chamilo/chamilo-lms) - [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html) - [OWASP: Command Injection](https://owasp.org/www-community/attacks/Command_Injection) - [CVE-2026-29041](https://github.com/kx00007/CVE-2026-29041) — Prior Chamilo RCE (CWE-434, CVSS 8.8) by same researcher ## 👤 Researcher Handle : K GitHub : https://github.com/kx00007 Focus : Server-Side Vulnerability RCE, CVE Hunting, Vulnerability Research, Exploit Development Prior : CVE-2026-29041 (Chamilo LMS — Authenticated RCE via File Upload)
     
## 📋 Vulnerability Summary | Field | Details | |--------------------|---------------------------------------------------------------| | **Product** | Chamilo LMS | | **Affected Version** | < 2.0 (Confirmed on v1.11.32) | | **Vulnerability** | OS Command Injection | | **CWE** | [CWE-78](https://cwe.mitre.org/data/definitions/78.html) — Improper Neutralization of Special Elements used in an OS Command | | **CVSSv3.1 Score** | **8.8 (HIGH)** | | **Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` | | **Auth Required** | Yes (any authenticated user with a poisoned session) | | **Exploit Type** | Authenticated Remote Code Execution | | **Vulnerable File** | `main/inc/ajax/gradebook.ajax.php` | ## 🔍 Description A critical **OS Command Injection** vulnerability exists in the `export_all_certificates` action of `main/inc/ajax/gradebook.ajax.php` within Chamilo LMS v1.11.32. An attacker who can manipulate or poison their session's `_cid` variable (via session poisoning, IDOR chaining, or other session manipulation primitives) can inject arbitrary shell metacharacters and achieve **full remote code execution** as the web server user (`www-data`). ## 🧩 Root Cause Analysis **Vulnerable File:** `main/inc/ajax/gradebook.ajax.php` **Vulnerable Function:** `export_all_certificates` When a user triggers the `export_all_certificates` action, the script attempts to run a background process for processing certificates: $courseCode = api_get_course_id(); // Retrieves the value from $_SESSION['_cid'] $sessionId = api_get_session_id(); // ... $commandScript = api_get_path(SYS_CODE_PATH).'gradebook/cli/export_all_certificates.php'; $userList = implode(',', $userList); // Flaw: Variables like $courseCode are passed directly to the shell without escapeshellarg() shell_exec("php $commandScript $courseCode $sessionId $categoryId $userList > /dev/null &"); Because the application implicitly trusts the contents of the session variables and fails to properly escape them before sending them to the system shell, an attacker with a manipulated session can append and execute malicious commands. For example, if `_cid` contains `"; touch /tmp/remote_code_by_k; #"`, the command interpreted by the bash/sh shell becomes: php /var/www/chamilo/main/gradebook/cli/export_all_certificates.php ; touch /tmp/remote_code_by_k; # ... > /dev/null & The shell executes the CLI script, followed by the injected payload, and ignores the rest of the intended command string. ## 💣 Proof of Concept 1. **Session Poisoning:** The attacker must first influence the `$_SESSION['_cid']` variable. This can be achieved by chaining this flaw with a session poisoning vulnerability or by manipulating the course code value through an IDOR or insecure parameter handling elsewhere in the application to update their session context. 2. **Payload Injection:** Set the `_cid` session variable to: `"; [MALICIOUS_COMMAND]; #"` 3. **Execution:** Send a `GET` request to: `/main/inc/ajax/gradebook.ajax.php?a=export_all_certificates&cat_id=1` with the poisoned session cookie. 4. **Result:** The server blindly executes the injected command with the privileges of the web application user (`www-data`). ## 📊 Impact Analysis | Dimension | Impact | |--------------------|--------------------------------------------------------------------| | **Confidentiality** | Full read access — source code, configs, DB credentials, `/etc/passwd` | | **Integrity** | Arbitrary file write, webshell deployment, database manipulation | | **Availability** | Service disruption, filesystem destruction, ransomware deployment | | **Scope** | Web server process (`www-data`); lateral movement potential via credential exposure | ## 🛡️ Recommendations - **Apply `escapeshellarg()`:** Wrap all user-derived variables (like `$courseCode`, `$sessionId`, and `$userList`) with PHP's `escapeshellarg()` before passing them to `shell_exec()` to neutralize arbitrary OS metacharacters. - **Strict Session Validation:** Ensure variables stored in the session state (e.g., `$_SESSION['_cid']`) are rigidly typed and sanitized so that potential "Session Poisoning" or IDOR chaining attacks are blocked at the entry point. - **Enforce Least Privilege:** Configure the web server service ( `www-data`) with restrictive filesystem write permissions and limit application access to essential Linux shell binaries to mitigate post-exploitation capabilities. ## 🧪 Environment | Component | Details | |---------------|--------------------------| | **OS** | Ubuntu Server (Docker) | | **Web Server**| Apache / Nginx | | **PHP** | 7.x / 8.x | | **App** | Chamilo LMS v1.11.32-v2.0 | | **Shell** | `/bin/sh` → bash | ## 📎 References - [Chamilo LMS Official Repository](https://github.com/chamilo/chamilo-lms) - [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html) - [OWASP: Command Injection](https://owasp.org/www-community/attacks/Command_Injection) - [CVE-2026-29041](https://github.com/kx00007/CVE-2026-29041) — Prior Chamilo RCE (CWE-434, CVSS 8.8) by same researcher ## 👤 Researcher Handle : K GitHub : https://github.com/kx00007 Focus : Server-Side Vulnerability RCE, CVE Hunting, Vulnerability Research, Exploit Development Prior : CVE-2026-29041 (Chamilo LMS — Authenticated RCE via File Upload)
⚡Try Harder.