SecurityvulnsSECURITYVULNS:DOC:28732[CVE-2012-5692] Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution Vulnerability
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution Vulnerability
author…: Egidio Romano aka EgiX
mail…: n0b0d13s[at]gmail[dot]com
software link…: http://www.invisionpower.com/
[-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
-
static public function get($name) -
{ -
// Check internal data first -
if ( isset( self::$_cookiesSet[ $name ] ) ) -
{ -
return self::$_cookiesSet[ $name ]; -
} -
else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) ) -
{ -
$_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ]; -
if ( substr( $_value, 0, 2 ) == 'a:' ) -
{ -
return unserialize( stripslashes( urldecode( $_value ) ) ); -
}
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts
with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a
serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code
via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug
info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this
reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
[-] Disclosure timeline:
[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure
[-] Proof of concept:
Related
