cbcvebase.
CVE-2012-6554
published 2013-05-23

CVE-2012-6554: functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the…

PriorityP351medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
16.70%
96.6th percentile
functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the message[message_text] parameter to chat/add_messag, which is not properly handled when executing the preg_replace function with the eval switch.

Affected

10 ranges
VendorProductVersion rangeFixed in
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module
a51devactivecollab_chat_module

Detection & IOCsextracted from sources · hover to see the quote

pathactivecollab/application/modules/chat/functions/html_to_text.php
commandchat/add_messag
  • Monitor POST requests to index.php containing the parameter 'message[message_text]' combined with 'message[chat_id]' and 'message[posted_to_user_id]', which is the injection endpoint used to deliver the preg_replace /e payload.
  • Detect exploitation attempts by inspecting POST bodies to ActiveCollab's chat endpoint for preg_replace /e modifier abuse — the vulnerable parameter is message[message_text] in chat/add_messag.
  • Presence of the session cookie 'ac_ActiveCollab_sid_eaM4h3LTIZ' in requests to the injection endpoint (index.php) is a strong indicator of active exploitation via the Metasploit module.
  • Reconnaissance phase can be detected by unauthenticated GET requests to 'public/assets/modules/chat/' — the exploit checks for HTTP 200 to confirm the chat module is installed before proceeding.
  • Check for the string 'powered by activeCollab' in HTTP responses to identify vulnerable application instances during attacker reconnaissance.
  • ·The vulnerable chat module version is prior to 1.5.2; ActiveCollab core versions 2.3.8 and earlier are affected. Patched installations (chat module >= 1.5.2) are not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.