cbcvebase.
CVE-2013-3629
published 2020-02-07

CVE-2013-3629: ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.10%
98.6th percentile
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution

Affected

1 ranges
VendorProductVersion rangeFixed in
ispconfigispconfig

Detection & IOCsextracted from sources · hover to see the quote

path/admin/language_import.php
path/admin/language_complete.php
filename*.lng (random alphanumeric + '.lng')
bytes
---|ISPConfig Language File|3.0.5.2|
  • Monitor for multipart/form-data POST requests to /admin/language_import.php containing a .lng file upload — this is the payload delivery step of the exploit.
  • Detect the magic header '---|ISPConfig Language File|' inside uploaded .lng files; presence of PHP code (e.g., <?php) following this header indicates malicious payload injection.
  • Alert on POST requests to /admin/language_complete.php immediately after a .lng file upload — this is the trigger step that executes the injected PHP payload.
  • Look for multipart form fields 'overwrite=1' and 'ignore_version=1' in uploads to /admin/language_import.php, which are used by the exploit to bypass version checks.
  • The exploit authenticates via POST to /content.php with fields 'username', 'passwort', 's_mod=login', 's_pg=index'; anomalous logins (e.g., default credentials admin/admin) followed by language import activity should be flagged.
  • ·Exploitation requires valid administrator credentials; the module defaults to admin/admin, meaning instances with default or weak credentials are at highest risk.
  • ·The payload architecture is PHP (ARCH_PHP), so the injected code executes in the web server's PHP context — detection should focus on web layer, not OS-level process spawning.
  • ·The exploit was confirmed against ISPConfig 3.0.5.2 specifically; other versions may or may not expose the same language import/export functionality.
  • ·Payload bad characters are '&', newline, '=', '+', '%' — URL-encoded or otherwise obfuscated variants of the payload will avoid these characters, which may affect signature-based detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.