CVE-2023-36992 – This vulnerability allows remote attackers to i... (How to Fix)

Q: What is the severity of CVE-2023-36992?

CVE-2023-36992 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote attackers to inject and execute arbitrary PHP code through the config editor in TravianZ admin pages. It affects TravianZ game server administrators who have exposed admin interfaces. Attackers can gain full control of affected servers.

📋 TL;DR

This vulnerability allows remote attackers to inject and execute arbitrary PHP code through the config editor in TravianZ admin pages. It affects TravianZ game server administrators who have exposed admin interfaces. Attackers can gain full control of affected servers.

💻 Affected Systems

Products:

TravianZ

Versions: 8.3.3 through 8.3.4

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to reach config editor page

📦 What is this software?

Travianz by Travianz Project

View all CVEs affecting Travianz →

Travianz by Travianz Project

View all CVEs affecting Travianz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as attack platform

🟠

Likely Case

Webshell installation for persistent access and data exfiltration

🟢

If Mitigated

Limited impact if admin interface is properly firewalled and access controlled

🌐 Internet-Facing: HIGH - Admin interfaces exposed to internet are directly exploitable

🏢 Internal Only: MEDIUM - Requires attacker to have internal network access or compromised credentials

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer TravianZ versions if available or implementing workarounds.

🔧 Temporary Workarounds

Restrict Admin Interface Access

linux

Block external access to admin pages using firewall rules

iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP # Example for internal only

Implement Strong Authentication

all

Add additional authentication layers before admin interface

htpasswd -c /etc/apache2/.htpasswd admin # Basic auth example

🧯 If You Can't Patch

Move admin interface to internal network only with VPN access
Implement web application firewall with PHP injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check if running TravianZ 8.3.3 or 8.3.4 and admin config editor is accessible

Check Version:

Check TravianZ version in admin panel or config files

Verify Fix Applied:

Test config editor for PHP injection by attempting safe payload like <?php echo 'test'; ?>

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to config editor endpoints
PHP execution errors in web logs
Admin login from unexpected IPs

Network Indicators:

HTTP requests containing PHP tags to admin pages
Outbound connections from web server to unknown destinations

SIEM Query:

source="web.log" AND (uri="/admin/config*" AND method="POST" AND (body="<?php" OR body="eval("))

📊 Metadata

CVE ID: CVE-2023-36992

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 7, 2023

Last Updated: November 21, 2024

🔗 References

https://bramdoessecurity.com/travianz-hacked/ Exploit,Third Party Advisory
https://bramdoessecurity.com/travianz-hacked/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36992, you might also want to check these: