Invision Power Board ‘core.php’ PHP Code Execution Vulnerability


Invision Power Board is prone to a vulnerability that lets remote attackers execute arbitrary code.


The information has been provided by Egidio Romano.


Vulnerable Systems:
 * Invision Power Services Invision Power Board 3.3.1 and prior

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
static public function get($name)
// Check internal data first
if ( isset( self::$_cookiesSet[ $name ] ) )
return self::$_cookiesSet[ $name ];
else if ( isset( $_COOKIE[ipsRegistry::$settings[‘cookie_id’].$name] ) )
$_value = $_COOKIE[ ipsRegistry::$settings[‘cookie_id’].$name ];

. if ( substr( $_value, 0, 2 ) == ‘a:’ )
return unserialize( stripslashes( urldecode( $_value ) ) );

The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with ‘a:’, but this is not sufficient to prevent a ‘PHP Object Injection’ because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the ‘__destruct()’ method of the ‘dbMain’ class, which calls the ‘writeDebugLog’ method to write debug info into a file. PHP code may be injected only through the $_SERVER[‘QUERY_STRING’] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.

Disclosure Timeline:
[21/10/2012] – Vulnerability discovered
[23/10/2012] – Vendor notified
[25/10/2012] – Patch released:
[25/10/2012] – CVE number requested
[29/10/2012] – Assigned CVE-2012-5692
[31/10/2012] – Public disclosure

Categories: News