CVE-2023-4591
📋 TL;DR
CVE-2023-4591 is a local file inclusion vulnerability in WPN-XM Serverstack version 0.8.6 that allows unauthenticated attackers to load arbitrary PHP files via the /tools/webinterface/index.php?page parameter. This can lead to webshell deployment and server compromise. Only users running WPN-XM Serverstack 0.8.6 are affected.
💻 Affected Systems
- WPN-XM Serverstack
📦 What is this software?
Wpn Xm by Wpn Xm
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via webshell leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Unauthenticated attacker gains remote code execution and establishes persistent access via webshell.
If Mitigated
Limited information disclosure if PHP file reading is restricted, but still serious.
🎯 Exploit Status
Simple GET request exploitation with publicly available proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.7 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wpn-xm-serverstack
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download WPN-XM Serverstack 0.8.7 or later from official source. 3. Stop all services. 4. Install updated version. 5. Restart services. 6. Verify web interface functionality.
🔧 Temporary Workarounds
Disable Web Interface
allRemove or restrict access to vulnerable /tools/webinterface/ directory
# Move or rename directory
mv /path/to/wpn-xm/tools/webinterface /path/to/wpn-xm/tools/webinterface_disabled
# Or block access in web server config
# For Apache: <Location "/tools/webinterface/">
# Require all denied
# </Location>
Input Validation Filter
allAdd parameter validation to prevent LFI exploitation
# Add to index.php before page parameter processing
$allowed_pages = ['dashboard', 'settings', 'logs'];
if (!in_array($_GET['page'], $allowed_pages)) {
die('Invalid page requested');
}
🧯 If You Can't Patch
- Implement strict network access controls to limit web interface access to trusted IPs only.
- Deploy web application firewall (WAF) with LFI protection rules and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if accessing http://[server]/tools/webinterface/index.php?page=../../../../etc/passwd returns system files (test in safe environment only).Check Version:
# Check WPN-XM version
cat /path/to/wpn-xm/version.txt
# Or check via web interface if accessibleVerify Fix Applied:
Attempt LFI exploitation after patch - should return error or default page instead of file contents.📡 Detection & Monitoring
Log Indicators:
- GET requests to /tools/webinterface/index.php with suspicious page parameters containing path traversal sequences (../, ..\)
- Multiple failed LFI attempts from single IP
- Unusual file access patterns in web server logs
Network Indicators:
- Unusual outbound connections from web server following LFI attempts
- Traffic patterns matching known webshell communication
SIEM Query:
source="web_logs" AND uri_path="/tools/webinterface/index.php" AND (query_string="*..%2F*" OR query_string="*..\\*")