CVE-2021-35413: 
Chamilo vulnerability analysis and mitigation

A remote code execution (RCE) vulnerability exists in courseintropdf_import.php of Chamilo LMS v1.11.x that allows authenticated attackers to execute arbitrary code via uploading a zip file containing malicious .htaccess and PHP files (GitHub Writeup).

The vulnerability exists in the courseintropdf_import.php file's import functionality, which allows uploading zip files without properly validating their contents. An attacker can create a zip file containing a malicious .htaccess file that adds PHP handler for custom file extensions, along with a file containing PHP code to be executed. When uploaded, the contents are extracted to /var/www/chamilo/app/cache/pdfimport/ directory, allowing the attacker to execute the PHP code by accessing the uploaded file (GitHub Writeup).

Successful exploitation allows authenticated attackers to execute arbitrary code on the underlying system with the web server's privileges. This could lead to complete compromise of the Chamilo LMS application and potentially the entire web server (GitHub Writeup).

The vulnerability was fixed in multiple commits that add validation for dangerous files and disable .htaccess files. Users should update to the latest version of Chamilo LMS. The specific fixes were implemented in commits 2e5c004b57d551678a1815500ef91524ba7bb757, 8ba572397445477d67ca55453fd8f29885bb19e5, and 905a21037ebc9bc5369f0fb380177cb56f496f5c (GitHub Commit).