CVE-2013-10043
published 2025-07-31CVE-2013-10043: A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to…
PriorityP272critical9.5CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.98%
78.0th percentile
A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astium | voip_pbx | <= astium-confweb-2.1-25399 RPM | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to logon.php for SQL injection patterns (e.g., quote characters, boolean/UNION payloads) indicative of authentication bypass attempts. ↗
- →Alert on HTTP POST requests to import.php containing the importcompany field with PHP code or file upload content, which is the vector for arbitrary PHP code upload post-authentication. ↗
- →Detect writes or modifications to /usr/local/astium/web/php/config.php, especially from web server processes, as this is the target file for payload injection. ↗
- →Alert on execution of 'sudo /sbin/service astcfgd reload' spawned from a web server process (e.g., apache, nginx, php-fpm), as this is the trigger for RCE with root privileges. ↗
- →A Metasploit module exists for this vulnerability (linux/http/astium_sqli_upload); correlate IDS/WAF logs for matching exploit framework signatures against Astium PBX web interfaces. ↗
- ·Exploitation requires two chained steps: first, SQL injection against logon.php for authentication bypass, then authenticated PHP file upload via import.php. Detection logic should account for both stages. ↗
- ·The vulnerability affects astium-confweb-2.1-25399 and earlier; ensure version checks target this RPM package specifically on Linux hosts running OAstium VoIP PBX. ↗
- ·The final payload executes with root privileges due to a sudo misconfiguration allowing the web process to run astcfgd reload; privilege escalation detection should focus on this sudo rule. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-31
Published