cbcvebase.
CVE-2012-5223
published 2012-10-01

CVE-2012-5223: The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
40.53%
98.5th percentile
The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch.

Affected

17 ranges
VendorProductVersion rangeFixed in
crawlabilityvbseo<= 3.6.0
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo
crawlabilityvbseo

Detection & IOCsextracted from sources · hover to see the quote

path/includes/functions_vbseocp_abstract.php
commandchar_repl='{${print(<flag>)}}'=>
commandchar_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>
  • Monitor POST requests targeting vBSEO endpoints for the 'char_repl' parameter containing PHP complex curly syntax patterns such as '{${...}}'
  • Detect HTTP requests carrying a custom 'Code' header containing base64-encoded PHP payloads, used to deliver the eval'd payload via $_SERVER[HTTP_CODE]
  • Alert on POST requests to vBulletin/vBSEO URIs where the body contains 'char_repl' with eval, base64_decode, passthru, or print function calls embedded in curly brace syntax
  • ·The exploit URI path is configurable by the attacker; the default is '/vb/' but can be set to any path pointing to the vBulletin installation root, so path-based detection alone is insufficient
  • ·Affected versions span vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0 and earlier; detections should not be scoped to a single version
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.