CVE-2012-2226
published 2020-01-09CVE-2012-2226: Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.36%
93.6th percentile
Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| invisioncommunity | invision_power_board | < 3.3.1 | 3.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/ipb330/index.php?app=core&module=global§ion=like&do=unsubscribe&key=Zm9ydW1zOy8uLi8uLi90ZXN0OzE7MTsxO2NvbWUyd2FyYXhlQHlhaG9vLmNvbQ↗
- →Monitor GET requests to index.php with parameters app=core, module=global, section=like, do=unsubscribe containing a base64-encoded 'key' parameter with path traversal sequences (e.g. /../) after decoding. ↗
- →Detect base64-decoded 'key' parameter values containing semicolon-delimited fields where the second field (area) contains directory traversal sequences such as /../../. ↗
- →Alert on PHP require_once calls in IPB's loadLibrary function being invoked with a file path containing traversal sequences, indicating LFI exploitation in progress. ↗
- →Watch for authenticated users uploading avatar/image files containing PHP code followed shortly by LFI requests to the like/unsubscribe endpoint — this is the two-stage exploitation pattern described. ↗
- →On Linux targets, monitor for LFI requests where the decoded 'area' field resolves to /proc/self/environ, which can be used for remote code execution via log/environment poisoning. ↗
- ·Exploitation requires the attacker to be authenticated as a valid registered user on the forum; unauthenticated exploitation is not possible. ↗
- ·The LFI payload's email component in the base64-encoded 'key' must match the authenticated user's registered email address, limiting generic replay attacks. ↗
- ·Affected versions are IPB 3.3.0 and 3.2.3; older versions may also be vulnerable. Version 3.3.1 contains the fix. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-01-09
Published