Executive Summary

CVE-2026-33704 is a high-severity vulnerability in Chamilo LMS versions prior to 1.11.38 that allows any authenticated user, including students, to write arbitrary content to files on the server via the BigUpload endpoint.

The vulnerability arises because the filename is controlled by the "key" parameter, which is insufficiently validated, and the raw POST body is written directly to a file in a web-accessible directory.

While files with .php extensions are filtered and renamed to .phps to prevent execution, files with the .pht extension were not filtered and could be executed as PHP on Apache servers configured to treat .pht files as PHP scripts.

This leads to remote code execution (RCE) on affected systems. The issue was fixed in version 1.11.38 by adding .pht to the list of filtered extensions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including remote code execution on the server hosting Chamilo LMS if it is configured to execute .pht files as PHP.

An attacker with low privileges (any authenticated user) can upload malicious files that execute arbitrary code, potentially compromising the server.

Even if remote code execution is not possible, arbitrary file writes can lead to denial of service by filling disk space or planting malicious content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves arbitrary file writes via the BigUpload endpoint by authenticated users. Detection can focus on monitoring HTTP POST requests to the BigUpload endpoint that include the "key" parameter controlling filenames.

You can look for suspicious POST requests with unusual file extensions like ".pht" being uploaded, which may indicate exploitation attempts.

Example commands to detect such activity include:

• Using web server logs (e.g., Apache) to search for POST requests to the BigUpload endpoint with ".pht" or other suspicious extensions in the "key" parameter: `grep 'POST /app/cache/BigUpload' /var/log/apache2/access.log | grep -i '.pht'`
• Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests containing the "key" parameter: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'key='`
• On the server, searching for recently created or modified files with ".pht" extension in the cache directory: `find /var/www/chamilo/app/cache/ -type f -name '*.pht' -ls`

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Chamilo LMS to version 1.11.38 or later, where the vulnerability is fixed by filtering the ".pht" extension to prevent execution.

If immediate upgrade is not possible, consider the following temporary mitigations:

• Configure the web server (e.g., Apache) to not treat ".pht" files as PHP scripts by removing or disabling the handler for ".pht" extensions.
• Restrict write permissions to the `/var/www/chamilo/app/cache/` directory to prevent unauthorized file creation.
• Monitor and block suspicious POST requests to the BigUpload endpoint, especially those attempting to upload files with dangerous extensions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to write arbitrary files to the server, potentially leading to remote code execution or denial of service. This can compromise the integrity and availability of the system.

Such a compromise could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of system integrity and availability to safeguard personal and sensitive data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Useful 0 Not Useful 0