Description
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
Remediation
Apply the security patch provided by the vendor (IP.Board 3.1.x, 3.2.x and 3.3.x Critical Security Update).
References
Related Vulnerabilities
WordPress Plugin Co-Authors Plus Multiple Unspecified Vulnerabilities (3.1.2)
WordPress Plugin Indexisto WordPress Site Search Cross-Site Scripting (1.0.5)
WordPress Plugin WP-Filebase Download Manager Cross-Site Scripting (3.1.02)
WordPress Plugin Connector for Gravity Forms and Google Sheets Cross-Site Scripting (1.1.0)
WordPress Plugin SEO Backlinks Cross-Site Request Forgery (4.0.1)