CVE-2020-23151 – CVE-2020-23151 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2020-23151?

CVE-2020-23151 has a CVSS score of 9.8 (CRITICAL). CVE-2020-23151 is a critical command injection vulnerability in rConfig that allows attackers to execute arbitrary commands on the server. The vulnerability affects rConfig 3.9.5 installations where the ajaxArchiveFiles.php script is accessible. Attackers can exploit this by sending specially crafted GET requests containing shell commands.

📋 TL;DR

CVE-2020-23151 is a critical command injection vulnerability in rConfig that allows attackers to execute arbitrary commands on the server. The vulnerability affects rConfig 3.9.5 installations where the ajaxArchiveFiles.php script is accessible. Attackers can exploit this by sending specially crafted GET requests containing shell commands.

💻 Affected Systems

Products:

rConfig

Versions: 3.9.5

Operating Systems: Linux, Unix-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Any rConfig 3.9.5 instance with the vulnerable script accessible is affected.

📦 What is this software?

Rconfig by Rconfig

View all CVEs affecting Rconfig →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, system takeover, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell installation, data exfiltration, or use as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and input validation are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests without authentication.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attackers on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a simple HTTP GET request with malicious parameters. Multiple public proof-of-concept exploits are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.6 and later

Vendor Advisory: https://github.com/rconfig/rconfig/releases

Restart Required: No

Instructions:

1. Backup your rConfig installation and database. 2. Download rConfig 3.9.6 or later from the official repository. 3. Replace the vulnerable ajaxArchiveFiles.php file with the patched version. 4. Verify the fix by checking that input validation is now properly implemented.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Remove or restrict access to the vulnerable PHP script

mv /var/www/html/lib/ajaxHandlers/ajaxArchiveFiles.php /var/www/html/lib/ajaxHandlers/ajaxArchiveFiles.php.disabled
chmod 000 /var/www/html/lib/ajaxHandlers/ajaxArchiveFiles.php.disabled

Web Application Firewall rule

all

Block requests containing shell metacharacters in the path parameter

ModSecurity rule: SecRule ARGS:path "[;|&`$()]" "id:1001,phase:2,deny,status:403,msg:'Command injection attempt'"
nginx: location ~* "/lib/ajaxHandlers/ajaxArchiveFiles\.php" { deny all; }

🧯 If You Can't Patch

Implement strict network segmentation to isolate rConfig from critical systems
Deploy a web application firewall with command injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check if the file /lib/ajaxHandlers/ajaxArchiveFiles.php exists and contains the vulnerable exec() call without proper input sanitization

Check Version:

grep -r 'rConfig version' /var/www/html/ || cat /var/www/html/install/version.txt

Verify Fix Applied:

Verify that the ajaxArchiveFiles.php file now validates and sanitizes the 'path' parameter before passing it to exec()

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /lib/ajaxHandlers/ajaxArchiveFiles.php with unusual parameters
Web server logs showing shell metacharacters in URL parameters
System logs showing unexpected command execution from web server user

Network Indicators:

HTTP requests containing shell metacharacters (;, |, &, `, $, (, )) in query parameters
Unusual outbound connections from the rConfig server

SIEM Query:

source="web_server" AND (url="*ajaxArchiveFiles.php*" AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*`*" OR param="*$(*"))

📊 Metadata

CVE ID: CVE-2020-23151

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 9, 2021

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/78.html Third Party Advisory
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/lib/ajaxHandlers/ajaxArchiveFiles.php#L13 Exploit,Third Party Advisory
https://cwe.mitre.org/data/definitions/78.html Third Party Advisory
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/lib/ajaxHandlers/ajaxArchiveFiles.php#L13 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23151, you might also want to check these: