Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

关键功能的认证机制缺失

Chamilo 代码问题漏洞

Chamilo是Chamilo开源的一个学习管理系统。 Chamilo 2.0-RC.2版本存在代码问题漏洞，该漏洞源于install.ajax.php文件无需身份验证即可访问，可能导致未经身份验证的攻击者利用SMTP协议进行服务端请求伪造或滥用服务器作为开放邮件中继。

N/A

N/A