|
|
|
|
| |
Credit:
The information has been provided by Egidio Romano.
|
| |
Vulnerable Systems:
* Invision Power Services Invision Power Board 3.3.1 and prior
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
POC:
Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
static public function get($name)
{
// Check internal data first
if ( isset( self::$_cookiesSet[ $name ] ) )
{
return self::$_cookiesSet[ $name ];
}
else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
{
$_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
. if ( substr( $_value, 0, 2 ) == 'a:' )
{
return unserialize( stripslashes( urldecode( $_value ) ) );
}
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
Disclosure Timeline:
[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure
|
|
|
|
|
