CVE-2012-5223
published 2012-10-01CVE-2012-5223: The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
40.53%
98.5th percentile
The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crawlability | vbseo | <= 3.6.0 | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
| crawlability | vbseo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests targeting vBSEO endpoints for the 'char_repl' parameter containing PHP complex curly syntax patterns such as '{${...}}' ↗
- →Detect HTTP requests carrying a custom 'Code' header containing base64-encoded PHP payloads, used to deliver the eval'd payload via $_SERVER[HTTP_CODE] ↗
- →Alert on POST requests to vBulletin/vBSEO URIs where the body contains 'char_repl' with eval, base64_decode, passthru, or print function calls embedded in curly brace syntax ↗
- ·The exploit URI path is configurable by the attacker; the default is '/vb/' but can be set to any path pointing to the vBulletin installation root, so path-based detection alone is insufficient ↗
- ·Affected versions span vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0 and earlier; detections should not be scoped to a single version ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
vBSEO 3.6.0 - 'proc_deutf()' Remote PHP Code Injection (Metasploit)
exploitdb·2012-01-27
CVE-2012-5223 vBSEO 3.6.0 - 'proc_deutf()' Remote PHP Code Injection (Metasploit)
vBSEO 3.6.0 - 'proc_deutf()' Remote PHP Code Injection (Metasploit)
---
require 'msf/core'
class Metasploit3 'vBSEO %q{
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php. User input passed through
'char_repl' POST parameter isn't properly sanitized before being used in a call
to preg_replace() function which uses the 'e' modifier. This can be exploited to
inject and execute arbitrary code leveraging the PHP's complex curly syntax.
},
'Author' => 'EgiX ', # originally reported by the vendor
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['BID', '51647'],
['URL', 'http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/'],
],
'Privileged' => false,
'Payload' =>
Metasploit
vBSEO proc_deutf() Remote PHP Code Injection
metasploit
vBSEO proc_deutf() Remote PHP Code Injection
vBSEO proc_deutf() Remote PHP Code Injection
This module exploits a vulnerability in the 'proc_deutf()' function defined in /includes/functions_vbseocp_abstract.php for vBSEO versions 3.6.0 and earlier. User input passed through 'char_repl' POST parameter isn't properly sanitized before being used in a call to preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary code leveraging the PHP's complex curly syntax.
No writeups or analysis indexed.
http://osvdb.org/78508http://secunia.com/advisories/47699http://www.exploit-db.com/exploits/18424http://www.securityfocus.com/bid/51647http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/https://exchange.xforce.ibmcloud.com/vulnerabilities/72689http://osvdb.org/78508http://secunia.com/advisories/47699http://www.exploit-db.com/exploits/18424http://www.securityfocus.com/bid/51647http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/https://exchange.xforce.ibmcloud.com/vulnerabilities/72689
2012-10-01
Published