cbcvebase.
CVE-2016-8580
published 2016-10-28

CVE-2016-8580: PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.86%
93.2th percentile
PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.

Affected

2 ranges
VendorProductVersion rangeFixed in
alienvaultopen_source_security_information_and_event_management<= 5.3.1
alienvaultunified_security_management<= 5.3.1

Detection & IOCsextracted from sources · hover to see the quote

path/ossim/dashboard/sections/widgets/data/gauge.php
path/ossim/dashboard/sections/widgets/data/image.php
path/ossim/action/modifyactions.php
path/ossim/action/getaction.php
path/ossim/policy/policy.php
path/ossim/policy/newpolicy.php
path/ossim/conf/reload.php
filenamegauge.php
filenameflow_chart.php
  • Detect PHP object injection attempts by monitoring GET requests to widget PHP files under /ossim/dashboard/sections/widgets/data/ containing serialized PHP object payloads (e.g., 'O:' or 'a:' prefixed URL-encoded strings) in the 'value' parameter.
  • Alert on HTTP requests to gauge.php (or other widget files) with the User-Agent 'AV Report Scheduler' — this is the authentication bypass header used to access the vulnerable endpoint without credentials.
  • Detect SQL injection via error-based extractvalue() payloads in the 'value' GET parameter of gauge.php, specifically patterns matching 'extractvalue(rand(),concat(0x3a' or 'XPATH syntax error' in HTTP responses.
  • Monitor for POST requests to /ossim/action/modifyactions.php with 'action_type=2' and an 'exec_command' parameter containing Python payloads, indicating rogue action creation for OS command execution.
  • Monitor for POST requests to /ossim/policy/newpolicy.php immediately following action creation, which is the step used to arm the rogue action via a policy trigger.
  • Detect the exploit trigger phase: an SSH login attempt to port 22 as 'root' with a random password immediately after policy creation, which is used to fire the rogue policy/action chain.
  • Detect X-Forwarded-For header spoofing on requests to OSSIM widget and policy endpoints — the exploit sets X-Forwarded-For to the attacker's own IP to bypass IP-based access controls.
  • Look for the IDS_Report PHP class name appearing in serialized object payloads sent to widget endpoints, as it is the class used in the published PoC to trigger the __toString magic method.
  • ·The session hijack via SQL injection only succeeds if at least one administrator session exists in the sessions table at the time of exploitation; an empty table will cause the exploit to fail.
  • ·The vulnerability affects AlienVault OSSIM and USM versions up to and including 5.3.1; version 5.3.2 contains the fix.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.