Description
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
Remediation
Apply the security patch provided by the vendor (IP.Board 3.1.x, 3.2.x and 3.3.x Critical Security Update).
References
Related Vulnerabilities
Apache Tomcat Other Vulnerability (CVE-2000-0759)
Oracle Database Server CVE-2014-4289 Vulnerability (CVE-2014-4289)
WordPress Plugin Anti-Malware Security and Brute-Force Firewall Cross-Site Scripting (4.15.22)
WordPress Plugin YaySMTP-Simple WP SMTP Mail Cross-Site Scripting (2.2)
WordPress Plugin MapSVG Lite Arbitrary File Disclosure (4.2.3.1)