<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33704 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33704/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33704/feed.xml" rel="self" type="application/rss+xml"/><item><title>Chamilo LMS Remote Code Execution via Arbitrary File Upload (CVE-2026-33704)</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-chamilo-rce/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-chamilo-rce/</guid><description>Chamilo LMS versions prior to 1.11.38 are vulnerable to remote code execution via arbitrary file upload by authenticated users due to insufficient file extension filtering in the BigUpload endpoint, allowing execution of PHP code on servers configured to process .pht files.</description><content:encoded><![CDATA[<p>Chamilo LMS, a learning management system, is vulnerable to a critical remote code execution (RCE) flaw identified as CVE-2026-33704. This vulnerability affects versions prior to 1.11.38. An authenticated user, including students, can exploit this vulnerability by writing arbitrary content to files on the server using the BigUpload endpoint. The vulnerability lies in the insufficient filtering of file extensions. While the .php extension is filtered and converted to .phps, the .pht extension is not modified. If the Apache web server is configured to handle .pht files as PHP, this can lead to arbitrary code execution. The vulnerability was patched in version 1.11.38. Exploitation allows attackers to compromise the web server hosting the Chamilo LMS instance.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the Chamilo LMS as a legitimate user (e.g., student).</li>
<li>The attacker crafts a malicious HTTP POST request targeting the <code>BigUpload</code> endpoint.</li>
<li>The request includes a <code>key</code> parameter specifying the desired filename, using a <code>.pht</code> extension.</li>
<li>The request body contains arbitrary PHP code that the attacker wants to execute on the server.</li>
<li>The Chamilo LMS application processes the request but fails to properly sanitize the <code>.pht</code> extension.</li>
<li>The application writes the attacker-controlled PHP code to a file with a <code>.pht</code> extension in the web server's document root or accessible directory.</li>
<li>The attacker sends an HTTP request to the newly created <code>.pht</code> file.</li>
<li>The Apache web server, if configured to process <code>.pht</code> files as PHP, executes the attacker-supplied code, leading to remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33704 allows an attacker to execute arbitrary code on the Chamilo LMS server. This could lead to complete system compromise, data theft, defacement of the learning platform, or further malicious activities within the network. Given the nature of an LMS, student and faculty data, including personal information and academic records, could be exposed. There are no specific victim counts available but successful exploitation grants complete control of the Chamilo LMS instance.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-33704.</li>
<li>Configure the Apache web server to not execute <code>.pht</code> files as PHP. This mitigation can be implemented even without patching.</li>
<li>Deploy the Sigma rule <code>Chamilo_BigUpload_PHT_File_Creation</code> to detect the creation of <code>.pht</code> files via the <code>BigUpload</code> endpoint.</li>
<li>Monitor web server access logs for requests to <code>.pht</code> files in the Chamilo LMS web directory using the <code>Chamilo_PHT_File_Access</code> Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>chamilo</category><category>lms</category><category>rce</category><category>cve-2026-33704</category></item></channel></rss>