Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-50187 is a critical Remote Code Execution (RCE) vulnerability in Chamilo LMS versions up to 1.11.26, patched in version 1.11.28.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of untrusted user input in the NuSOAP library used by Chamilo LMS, specifically in the file class.soap_server.php.'}, {'type': 'paragraph', 'content': "When the PHP function call_user_func_array is disabled in the server's php.ini configuration, the application falls back to using PHP's eval() function to execute a dynamically constructed string containing SOAP request parameters without proper sanitization."}, {'type': 'paragraph', 'content': 'This allows an attacker to inject arbitrary PHP code inside SOAP method argument tags, which is then executed on the server, enabling remote code execution.'}, {'type': 'paragraph', 'content': 'A proof of concept shows that an attacker can send a crafted SOAP request that writes a PHP backdoor file on the server, allowing further remote command execution.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full compromise of the affected server.

• Attackers can remotely execute arbitrary PHP code without any privileges or user interaction.
• They can install backdoors, allowing persistent access and control over the system.
• Confidentiality, integrity, and availability of the system and its data can be fully compromised.
• The vulnerability has a critical CVSS score of 9.8, indicating high severity and ease of exploitation over the network.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious SOAP requests that contain injected PHP code within method argument tags. Specifically, crafted SOAP requests that attempt to execute arbitrary PHP code via the vulnerable NuSOAP library function can indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can:'}, {'type': 'list_item', 'content': 'Inspect web server logs for unusual SOAP requests containing PHP code or suspicious payloads.'}, {'type': 'list_item', 'content': 'Check if the PHP configuration disables the function call_user_func_array by running: php -r "echo ini_get(\'disable_functions\');"'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems (IDS) to look for SOAP requests with embedded PHP code or commands.'}, {'type': 'list_item', 'content': "Example command to search web server logs for suspicious SOAP payloads (assuming Apache logs): grep -i '<?php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Example command to detect if call_user_func_array is disabled: php -r "var_dump(in_array(\'call_user_func_array\', explode(\',\', ini_get(\'disable_functions\'))));"'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade Chamilo LMS to version 1.11.28 or later, where the vulnerability is patched.
• Remove call_user_func_array from the disable_functions directive in your php.ini configuration to prevent the fallback to unsafe eval() execution.
• Ensure that user input in SOAP requests is properly sanitized and escaped before evaluation.
• Monitor your system for any signs of compromise, such as unexpected PHP files (e.g., backdoors like bd.php) created on the server.

Useful 0 Not Useful 0