CVE-2013-3629
published 2020-02-07CVE-2013-3629: ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
43.10%
98.6th percentile
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ispconfig | ispconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
---|ISPConfig Language File|3.0.5.2|
- →Monitor for multipart/form-data POST requests to /admin/language_import.php containing a .lng file upload — this is the payload delivery step of the exploit. ↗
- →Detect the magic header '---|ISPConfig Language File|' inside uploaded .lng files; presence of PHP code (e.g., <?php) following this header indicates malicious payload injection. ↗
- →Alert on POST requests to /admin/language_complete.php immediately after a .lng file upload — this is the trigger step that executes the injected PHP payload. ↗
- →Look for multipart form fields 'overwrite=1' and 'ignore_version=1' in uploads to /admin/language_import.php, which are used by the exploit to bypass version checks. ↗
- →The exploit authenticates via POST to /content.php with fields 'username', 'passwort', 's_mod=login', 's_pg=index'; anomalous logins (e.g., default credentials admin/admin) followed by language import activity should be flagged. ↗
- ·Exploitation requires valid administrator credentials; the module defaults to admin/admin, meaning instances with default or weak credentials are at highest risk. ↗
- ·The payload architecture is PHP (ARCH_PHP), so the injected code executes in the web server's PHP context — detection should focus on web layer, not OS-level process spawning. ↗
- ·The exploit was confirmed against ISPConfig 3.0.5.2 specifically; other versions may or may not expose the same language import/export functionality. ↗
- ·Payload bad characters are '&', newline, '=', '+', '%' — URL-encoded or otherwise obfuscated variants of the payload will avoid these characters, which may affect signature-based detection. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ISPConfig - (Authenticated) Arbitrary PHP Code Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3629 ISPConfig - (Authenticated) Arbitrary PHP Code Execution (Metasploit)
ISPConfig - (Authenticated) Arbitrary PHP Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'ISPConfig Authenticated Arbitrary PHP Code Execution',
'Description' => %q{
ISPConfig allows an authenticated administrator to export language settings into a PHP script
which is intended to be reuploaded later to restore language settings. This feature
can be abused to run aribtrary PHP code remotely on the ISPConfig server.
This module was tested against version 3.0.5.2.
},
'Author' =>
[
'Brandon Perry ' # Discovery / msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3629'],
['URL', 'https://community.rapid7.com/commu
Metasploit
ISPConfig Authenticated Arbitrary PHP Code Execution
metasploit
ISPConfig Authenticated Arbitrary PHP Code Execution
ISPConfig Authenticated Arbitrary PHP Code Execution
ISPConfig allows an authenticated administrator to export language settings into a PHP script which is intended to be reuploaded later to restore language settings. This feature can be abused to run aribitrary PHP code remotely on the ISPConfig server. This module was tested against version 3.0.5.2.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/29322http://www.securityfocus.com/bid/63455https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttp://www.exploit-db.com/exploits/29322http://www.securityfocus.com/bid/63455https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
2020-02-07
Published