Vulnerabilities > CVE-2016-6174 - PHP Code Injection vulnerability in IPS Community Suite

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
invisionpower
php
invisioncommunity
nessus
exploit available

Summary

applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.

Vulnerable Configurations

Part Description Count
Application
Invisioncommunity
71
Application
Php
587

Exploit-Db

descriptionIPS Community Suite 4.1.12.3 - PHP Code Injection. CVE-2016-6174. Webapps exploit for php platform
fileexploits/php/webapps/40084.txt
idEDB-ID:40084
last seen2016-07-11
modified2016-07-11
platformphp
port80
published2016-07-11
reporterEgidio Romano
sourcehttps://www.exploit-db.com/download/40084/
titleIPS Community Suite 4.1.12.3 - PHP Code Injection
typewebapps

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOS_10_12.NASL
descriptionThe remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, or is not macOS 10.12. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple HSSPI Support - AppleEFIRuntime - AppleMobileFileIntegrity - AppleUCC - Application Firewall - ATS - Audio - Bluetooth - cd9660 - CFNetwork - CommonCrypto - CoreCrypto - CoreDisplay - curl - Date & Time Pref Pane - DiskArbitration - File Bookmark - FontParser - IDS - Connectivity - ImageIO - Intel Graphics Driver - IOAcceleratorFamily - IOThunderboltFamily - Kerberos v5 PAM module - Kernel - libarchive - libxml2 - libxpc - libxslt - mDNSResponder - NSSecureTextField - Perl - S2 Camera - Security - Terminal - WindowServer Note that successful exploitation of the most serious issues can result in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id93685
published2016-09-23
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93685
titlemacOS < 10.12 Multiple Vulnerabilities

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/137804/KIS-2016-11.txt
idPACKETSTORM:137804
last seen2016-12-05
published2016-07-07
reporterEgiX
sourcehttps://packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.html
titleIPS Community Suite 4.1.12.3 PHP Code Injection

Seebug

bulletinFamilyexploit
descriptionDetails source: The [know Chong Yu 404 security lab](<http://blog.knownsec.com/2016/08/ips-community-suite-php-rce-cve-2016-6174/>) ### A vulnerability overview 1\. Vulnerability information "IPS Community Suite "is a foreign of the more common cms. But in its 4. 1. 12. 3 version and the following version, there is a PHP code injection vulnerability that stems from the procedures fail to adequately filter content_class request parameters. A remote attacker may exploit this vulnerability to inject and execute arbitrary PHP code. 2\. Vulnerability trigger conditions IPS version:`<=4.1.12.3` php environment:`<=5.4. 24 and 5. 5. 0-5. 5. 8` ### Second, the vulnerability reproduction #### 1\. Vulnerability analysis In /applications/core/modules/front/system/content.php in the file there is a section of this code, `$class = 'IPS' . implode( ", explode( '_', IPSRequest::i()->content_class ) ); if ( ! class_exists( $class ) or ! in_array( 'IPSContent', class_parents( $class ) ) ) { IPSOutput::i()->error( 'node_error', '2S226/2', 404, " ); }` Here program by IPSRequest::i()-&gt;content_class get us through the GET request submitted content_class parameters, after a certain string of processing, after entering the class_exists function, in the process, and not on our incoming data is filtered, it is possible to produce vulnerability, the following we go into to /applications/cms/Application.php file spl_autoload_register function `if ( mb_substr( $class, 0, 14 ) === 'IPScmsFields' and is_numeric( mb_substr( $class, 14, 1 ) ) ) { $databaseId = mb_substr( $class, 14 ); eval( "namespace IPScms; class Fields{$databaseId} the extends Fields { public static $customDatabaseId [...] }` Finally, we can construct a specific parameter, enter the eval function, resulting in remote code execution The program process is as follows: ![](http://blog.knownsec.com/wp-content/uploads/2016/08/ips.png) #### 2\. IPS official repair analysis Through our analysis and comparison Found in / applications/cms/Application. php this file in the original spl_autoload_register() and after the update ![](http://blog.knownsec.com/wp-content/uploads/2016/08/ips_fix-1024x413.png) We can see that the official use of the intval() function the last incoming $class to an integer validation So that the incoming $class 14th place after being qualified to become an integer, prevent the incoming string into the eval() #### 3\. PHP version upgrade analysis In PHP version &gt;=5.4.25 or &gt;=5.5.9. changes class_exists mechanism While less than the version without this restriction can normally trigger the vulnerability `$class = 'IPS' . implode( ", explode( '_', IPSRequest::i()->content_class ) ); if ( ! class_exists( $class ) or ! in_array( 'IPSContent', class_parents( $class ) ) ) { IPSOutput::i()->error( 'node_error', '2S226/2', 404, " ); }` Here `$class="IPS\cms\Fields1{}phpinfo();/*"` time no longer triggering the class_exists() to load `/applications/cms/Application.php ` the spl_autoload_register (), it will trigger the vulnerability #### 4\. Exploit Thus, we can construct a PoC of: `http://*/ips/index. php? app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*` Effect as shown: ![](http://blog.knownsec.com/wp-content/uploads/2016/08/phpinfo.png) Pocsuite: ![](http://blog.knownsec.com/wp-content/uploads/2016/08/pocsuite-verify.png) #### 5\. Bug fixes PHP 5.4. x upgraded to 5.4.25 more than 5.5. x upgrade to 5.5.9 above IPS to upgrade to`4.12.3.1 above ### Third, the reference * http://blog.knownsec.com/2016/08/ips-community-suite-php-rce-cve-2016-6174/ * https://invisionpower.com/ * http://windows.php.net/downloads/releases/archives/ * http://karmainsecurity.com/KIS-2016-11 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6174
idSSV:92096
last seen2017-11-19
modified2016-07-13
published2016-07-13
reporterRoot
titleIPS Community Suite <= 4.1.12.3 Autoloaded PHP remote code execution vulnerability