cbcvebase.
CVE-2013-2097
published 2020-02-12

CVE-2013-2097: ZPanel through 10.1.0 has Remote Command Execution

PriorityP259high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
26.05%
97.7th percentile
ZPanel through 10.1.0 has Remote Command Execution

Affected

2 ranges
VendorProductVersion rangeFixed in
zpanelzpanel
zpanel_projectzpanel

Detection & IOCsextracted from sources · hover to see the quote

path/etc/lib/pChart2/examples/index.php
path/etc/apps/phpmyadmin/index.php
path/etc/apps/phpmyadmin/import.php
path../../../../cnf/db.php
path/dryden/ui/templateparser.class.php
commandSELECT "<payload>" INTO OUTFILE "/etc/zpanel/panel/<rand>.php"
  • Detect directory traversal attempts targeting pChart2 examples endpoint with 'Action=View&Script=../../../../cnf/db.php' to read ZPanel's database credentials file.
  • Monitor for unauthenticated GET requests to /etc/lib/pChart2/examples/index.php with a 'Script' parameter containing directory traversal sequences (../).
  • Alert on POST requests to /etc/apps/phpmyadmin/import.php containing 'SELECT ... INTO OUTFILE' SQL targeting the /etc/zpanel/panel/ web root directory.
  • Detect the X-Requested-With: XMLHttpRequest header combined with SQL OUTFILE injection in POST body to phpMyAdmin import endpoint.
  • Detect template files (master.ztml or *.ztml) uploaded by reseller accounts containing PHP execution constructs, as the templateparser eval() will execute injected PHP code.
  • Monitor for pChart 2.x response body in HTTP responses from the ZPanel pChart examples endpoint, confirming a vulnerable version is exposed.
  • ·The exploit's default TARGETURI is '/zpanel'; installations may differ, requiring path adjustment for detection rules.
  • ·The attack chain requires the pChart vulnerability (EDB-31173) to be present and exploitable first before RCE is achieved; detection of the traversal step is the earliest indicator.
  • ·The templateparser RCE vector (EDB-25519) is accessible to any reseller account, not just administrators, broadening the attack surface.
  • ·A local privilege escalation binary 'zsudo' is present on ZPanel systems and can be leveraged post-RCE to achieve root; the Metasploit module references a separate local exploit for this step.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.