ISPConfig Authenticated Remote Code Execution (CVE-2013-3629)

Metasploit has released a vulnerability notice for the ISPConfig project:

Short Description

A correctly authenticated ISPconfig server administrator is able to upload language files into ISPConfig on his own server which potentially may contain malicious php code.

Questions and answers

Q: Can someone attack my server trough this exploit remotely?
A: No.

Q: Is this a privilege escalation issue?
A: No.

Q: Can a client or reseller attack my server trough this vulnerability?
A: No.

Q: Is a fix available for this Issue?
A: Yes, a fix is available since september 4th
   The patch ID is: 3053_langimport

Q: How can my server be affected by this vulnerability?
A: The only way to misuse this potential vulnerability on an unpatched
   server is that the server administrator downloads a language file
   from an untrusted source and then uploads this language file into
   ISPConfig on his own server after he authenticated himself correctly
   as server administrator. So the risk that someone is affected by
   this issue at all is very low.

Q: How did you fix it?
A: We implemented a stricter parser for the language files to avaoid
   that language files with malicious code get written to disk when
   uploaded by the administrator. Additionally we added a warning text
   to remind the administrator to not upload files from untrusted
   sources to his server.

Q: What about the article at PCWorld and the blog from Metasploit?
A: Metasploit and PCWorld published a misleading article about this
   potential vulnerability in ISPConfig and some other OS projects
   were they claim that we haven't and even won't patch this issue while
   the issue is indeed patched since Sept 4th.
   We informed metasploit about that on Sept 4th. This can be verified
   by everyone in our svn log:
   Revision 4144 from our SVN stable branch:
   The patch was also published on the ISPConfig patch page the same
   day. The disclosure was sent to us encrpyted with our pgp key and
   also our contact information is linked on every page on the website, so the information that we can not be reached
   or that the disclosure could not be sent to us securely as stated by
   PCWorld is just wrong.

Posted by SourceForge Robot 2013-10-31

Log in to post a comment.