CSRF vulnerbility in Chamilo lms 1.11.10

Hello, My name is  Nguyen Dang Toan, I'm a Pentester.

In 22/04/2020, I wanted to looking for my CVE myself, then I choosed Chamilo lms. Hoang Kien is a my new friend, he wanted to help me --> we got two vulnerabilities. Hhaha :v

OK let's go.

This is a first vulnerability --> CSRF.

Version tested: Chamilo LMS 1.11.10 for PHP 7.3.

Web server: apache webserver-Apache/2.4.41 (Debian).

Pentester: Hoang Kien, Nguyen Dang Toan.

1. Account takeover via CSRF.
• Issue: Forge request edit_user to change all informations of administrator include credential information.


• Poc:
Step1: user_id of administrator is always 1 or can find user_id via function whoisonline and more functions.



Step2: Forge a request of administrator at function edit user information.
These are original administrator’s informations.



Use burp suite to intercept and edit a request like this:




Step3: Use burp suite to generate CSRF PoC.






Step4: Login with administrator account, and then administrator submit request forgery.








After that, these are administrator information. Of course, administrator credential is:


Username: hacker
Password: hacker



2. Privilege escalation via CSRF.
• Issue: Forge request edit_user to change all informations of user include credential information and make user to be administrator.
• Poc:
Step1: Create user ‘321’ like below picture.

Step2: Use burp suite to request body.



Step3: CSRF Generate Poc.






Step4: Login with administrator account, and then administrator submit request forgery.








Step5: Login with user ‘321’ --> administrator.

Finally: If you want to read my second vulnerability in Chamilo lms --> at here.