cbcvebase.
CVE-2012-5692
published 2012-10-31

CVE-2012-5692: Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.91%
97.6th percentile
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors.

Affected

9 ranges
VendorProductVersion rangeFixed in
invisioncommunityinvision_power_board
invisioncommunityinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board
invisionpowerinvision_power_board

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/sources/base/core.php
pathcache/sh.php
cookiemember_id=a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}
pathcache/sh.php
  • Detect exploitation attempts via the member_id cookie containing a serialized PHP object payload targeting the db_driver_mysql class with use_debug_log and debug_log keys.
  • Alert on GET requests to index.php accompanied by a member_id cookie value containing PHP serialization syntax (e.g., 'O:+15:"db_driver_mysql"' or 'O:15:"db_driver_mysql"'), indicating unserialize regex bypass attempts.
  • Monitor for creation of or GET requests to files under the cache/ directory with a .php extension, as the exploit writes a webshell to cache/sh.php or a random-named .php file in cache/.
  • Detect HTTP requests to cache/*.php that include a 'Cmd:' header, which is the webshell command execution mechanism used by the exploit.
  • The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code; monitor for unexpected PHP file creation in the IPB web directory's cache/ folder.
  • ·The regex bypass variant uses 'O:+15:' (with a leading plus sign) to evade unserialize input validation; detection signatures must account for both 'O:15:' and 'O:+15:' serialized object prefixes.
  • ·The Metasploit module uses a randomly named PHP file (rand_text_alpha) in the cache/ directory rather than the fixed 'sh.php' name; file-name-based detection alone is insufficient.
  • ·The vulnerability is exploitable unauthenticated; no session or login is required, so authentication-based controls do not mitigate the attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.