CVE-2020-10389
Description
admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-10389 allows authenticated remote attackers to inject PHP code via any POST parameter in admin/save-settings.php, leading to arbitrary code execution.
Vulnerability
CVE-2020-10389 affects Chadha PHPKB Standard Multi-Language 9. The vulnerability exists in admin/save-settings.php, where the application improperly handles user-supplied POST parameters when saving global settings. An authenticated attacker can inject arbitrary PHP code into any POST parameter, which is then stored and executed on the server. This affects version Multi-Language 9 as disclosed in the exploit references [1][2].
Exploitation
Exploitation requires an attacker to have valid administrative credentials to access the admin panel. The attacker sends a crafted POST request to admin/save-settings.php with PHP code embedded in one or more parameters (e.g., within <?php ?> tags). The application writes this input into a configuration file that is later included in PHP execution, causing the injected code to be evaluated server-side [1][2]. No additional user interaction is required beyond the initial auth.
Impact
Successful exploitation yields arbitrary code execution on the web server with the privileges of the web application user. The attacker can execute system commands, read/write files, or further compromise the host environment. This results in a complete loss of confidentiality, integrity, and availability of the affected PHPKB instance and potentially the underlying server [1][2].
Mitigation
As of the available references, no official patch or fixed version has been announced by Chadha PHPKB for CVE-2020-10389. The vendor has not released a security update addressing this issue. Users are advised to restrict access to the admin panel, apply strong authentication, and monitor for suspicious POST requests to admin/save-settings.php. Until a patch is provided, the only reliable mitigation is to ensure the application is not exposed to untrusted networks or to disable the vulnerable functionality if possible [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Chadha PHPKB/Chadha PHPKB Standard Multi-Languagedescription
- Range: =9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in admin/save-settings.php allows PHP code injection into configuration values."
Attack vector
An attacker must first authenticate as a superuser via `/admin/login.php` [ref_id=1]. Once authenticated, the attacker sends a crafted POST request to `admin/save-settings.php` containing PHP code injected into any POST parameter (the exploit uses the `putdown_for_maintenance` parameter) [ref_id=1]. The injected payload uses PHP string concatenation syntax (`' . system("cmd") . '`) to break out of the configuration value and execute arbitrary system commands [ref_id=1].
Affected code
The vulnerable endpoint is `admin/save-settings.php` in Chadha PHPKB Standard Multi-Language 9. The file accepts POST parameters to save global settings and writes them into a configuration file without sanitization, allowing PHP code injection through any POST parameter [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix. Remediation would require the application to properly sanitize or escape all user-supplied input before writing it to configuration files, preventing PHP code injection by ensuring values are treated as literal strings rather than executable code [ref_id=1].
Preconditions
- authAttacker must have valid superuser credentials to authenticate to the admin panel
- configThe application must be PHPKB Standard Multi-Language version 9
- networkAttacker must be able to reach the /admin/ endpoints over HTTP
- inputAttacker supplies PHP code as a POST parameter value to save-settings.php
Reproduction
1. Authenticate as a superuser: `POST /admin/login.php` with `phpkb_username`, `phpkb_password`, and `login=LOGIN` [ref_id=1]. 2. Send a POST request to `/admin/save-settings.php` with any parameter containing a PHP payload, e.g. `putdown_for_maintenance=no' . system("id") . '` [ref_id=1]. 3. The command output is returned when the injected configuration is evaluated by PHP [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- antoniocannito.itmitrex_refsource_MISC
- packetstormsecurity.com/files/156751/PHPKB-Multi-Language-9-Authenticated-Remote-Code-Execution.htmlmitrex_refsource_MISC
- antoniocannito.it/phpkb1mitrex_refsource_MISC
- www.exploit-db.com/exploits/48219mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.