cbcvebase.
CVE-2012-2226
published 2020-01-09

CVE-2012-2226: Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.36%
93.6th percentile
Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.

Affected

1 ranges
VendorProductVersion rangeFixed in
invisioncommunityinvision_power_board< 3.3.13.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/ipb330/index.php?app=core&module=global&section=like&do=unsubscribe&key=Zm9ydW1zOy8uLi8uLi90ZXN0OzE7MTsxO2NvbWUyd2FyYXhlQHlhaG9vLmNvbQ
pathlike.php
pathadmin/sources/classes/like/composite.php
otherZm9ydW1zOy8uLi8uLi90ZXN0OzE7MTsxO2NvbWUyd2FyYXhlQHlhaG9vLmNvbQ
commandforums;/../../test;1;1;1;<email>
path/proc/self/environ
  • Monitor GET requests to index.php with parameters app=core, module=global, section=like, do=unsubscribe containing a base64-encoded 'key' parameter with path traversal sequences (e.g. /../) after decoding.
  • Detect base64-decoded 'key' parameter values containing semicolon-delimited fields where the second field (area) contains directory traversal sequences such as /../../.
  • Alert on PHP require_once calls in IPB's loadLibrary function being invoked with a file path containing traversal sequences, indicating LFI exploitation in progress.
  • Watch for authenticated users uploading avatar/image files containing PHP code followed shortly by LFI requests to the like/unsubscribe endpoint — this is the two-stage exploitation pattern described.
  • On Linux targets, monitor for LFI requests where the decoded 'area' field resolves to /proc/self/environ, which can be used for remote code execution via log/environment poisoning.
  • ·Exploitation requires the attacker to be authenticated as a valid registered user on the forum; unauthenticated exploitation is not possible.
  • ·The LFI payload's email component in the base64-encoded 'key' must match the authenticated user's registered email address, limiting generic replay attacks.
  • ·Affected versions are IPB 3.3.0 and 3.2.3; older versions may also be vulnerable. Version 3.3.1 contains the fix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.