Description

The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.

Remediation

Apply the security patch provided by the vendor (IP.Board 3.1.x, 3.2.x and 3.3.x Critical Security Update).

References

Invision Power Board 3.3.4 unserialize PHP Code Execution

Related Vulnerabilities

Oracle JRE CVE-2013-5802 Vulnerability (CVE-2013-5802)

PHP Other Vulnerability (CVE-2005-1043)

WebLogic CVE-2021-2142 Vulnerability (CVE-2021-2142)

WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-5205)

WordPress Plugin Maps Widget for Google Maps-Google Maps Builder Open Redirect (4.0)

Severity

High

Classification

CVE-2012-5692 CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Missing Update Insecure Deserialization