CVE-2023-46818
published 2023-10-27CVE-2023-46818: An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is…
PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
13.89%
96.1th percentile
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ispconfig | ispconfig | < 3.2.11 | 3.2.11 |
| ispconfig | ispconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the PHP injection pattern in language_edit.php requests: a records parameter value beginning with ']; followed by file_put_contents and base64_decode, indicating an attempt to write a webshell. ↗
- →Alert on GET requests to /admin/*.php files with a custom 'C' header containing a base64-encoded OS command — this is the webshell command execution pattern used post-exploitation. ↗
- →The exploit requires admin_allow_langedit to be enabled; the Metasploit module will attempt to enable it automatically if disabled — monitor for unexpected changes to ISPConfig system configuration settings. ↗
- →Watch for newly created .php files in the /admin/ directory of ISPConfig, especially with random alphanumeric names (32 chars), as the exploit drops a webshell there via file_put_contents. ↗
- ·The vulnerability is only exploitable when the ISPConfig setting 'admin_allow_langedit' is enabled. If this setting is disabled, the attack surface does not exist. ↗
- ·The Metasploit module targets authenticated administrators only — this is a post-authentication vulnerability requiring high-privilege credentials (PR:H in CVSS). ↗
- ·Affected versions are ISPConfig before 3.2.11p1. Detection rules should be scoped to unpatched instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ISPConfig - PHP Code Injection
nuclei·CVSS 7.2
CVE-2023-46818 [HIGH] ISPConfig - PHP Code Injection
ISPConfig - PHP Code Injection
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
Template:
id: CVE-2023-46818
info:
name: ISPConfig - PHP Code Injection
author: non-things
severity: high
description: |
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
impact: |
Authenticated administrators can inject and execute arbitrary PHP code, potentially gaining complete server control.
remediation: |
Upgrade ISPConfig to version 3.2.11p1 or later, and ensure admin_allow_langedit is disabled unless absolutely necessary.
reference:
- https://www.ispconfig.org/blog/ispconf
Metasploit
ISPConfig language_edit.php PHP Code Injection
metasploit
ISPConfig language_edit.php PHP Code Injection
ISPConfig language_edit.php PHP Code Injection
This module exploits a PHP code injection vulnerability in ISPConfig's language_edit.php file. The vulnerability occurs when the `admin_allow_langedit` setting is enabled, allowing authenticated administrators to inject arbitrary PHP code through the language editor interface. This module will automatically check if the required `admin_allow_langedit` permission is enabled, and attempt to enable it if it's disabled (requires admin credentials with system configuration access). The exploit works by injecting a PHP payload into a language file, which is then executed when the file is accessed. The payload is base64 encoded and written using PHP's file_put_contents function.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Dec/2https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/http://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.htmlhttp://seclists.org/fulldisclosure/2023/Dec/2https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/
2023-10-27
Published