Description
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
Remediation
Apply the security patch provided by the vendor (IP.Board 3.1.x, 3.2.x and 3.3.x Critical Security Update).
References
Related Vulnerabilities
WordPress Plugin ZoomSounds-WordPress Wave Audio Player with Playlist Arbitrary File Upload (2.0)
WordPress Plugin Error Log Viewer by BestWebSoft Cross-Site Scripting (1.0.5)
Internet Information Services CVE-2006-6578 Vulnerability (CVE-2006-6578)