Login Sign Up

CVE-2023-28854

8.0 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-28854 is a command injection vulnerability in the nophp PHP framework that allows attackers to execute arbitrary shell commands on the web server. This affects all users running nophp versions prior to 0.0.1. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • nophp PHP framework
Versions: All versions prior to 0.0.1
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations using vulnerable versions of the nophp framework.

📦 What is this software?

Nophp by Nophp Project

View all CVEs affecting Nophp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining shell access as the httpd user, allowing data theft, installation of malware, lateral movement, and complete server takeover.

🟠

Likely Case

Remote code execution leading to web server compromise, data exfiltration, and potential use as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper input validation and command sanitization in place, potentially preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Command injection vulnerabilities typically have low exploitation complexity when unauthenticated access is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.1 or later

Vendor Advisory: https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm

Restart Required: No

Instructions:

1. Update to nophp version 0.0.1 or later. 2. Alternatively, apply the patch from commit e5409aa2d441789cbb35f6b119bef97ecc3986aa to index.php. 3. Verify the fix by checking the updated code.

🔧 Temporary Workarounds

Apply env_patchsample230330.php workaround

all

Add the env_patchsample230330.php function to env.php as a temporary mitigation

Copy env_patchsample230330.php function from advisory and add to env.php

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Restrict web server permissions and implement least privilege principles

🔍 How to Verify

Check if Vulnerable:

Check if running nophp version prior to 0.0.1 or if index.php lacks the patch from commit e5409aa2d441789cbb35f6b119bef97ecc3986aa

Check Version:

Check nophp version in framework files or deployment configuration

Verify Fix Applied:

Verify index.php contains the patch from commit e5409aa2d441789cbb35f6b119bef97ecc3986aa or version is 0.0.1+

📡 Detection & Monitoring

Log Indicators:

  • Unusual shell commands in web server logs
  • Suspicious process execution from web user
  • Unexpected system calls

Network Indicators:

  • Unusual outbound connections from web server
  • Command and control traffic patterns

SIEM Query:

web_server_logs WHERE process_execution LIKE '%shell%' OR command LIKE '%cmd%' FROM httpd_user

📊 Metadata

CVE ID: CVE-2023-28854
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: April 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28854, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)