Invision Power Board version 3.3.4 unserialize PHP code execution
Description
Invision Power Board version 3.3.4 contains an insecure deserialization vulnerability in its cookie handling mechanism. The application deserializes user-supplied cookie data without proper validation, only checking that the serialized string begins with 'a:' (array notation). This insufficient validation allows attackers to inject malicious serialized objects. By crafting a payload containing an array of objects, attackers can trigger the __destruct() method of the dbMain class, which writes attacker-controlled data to files through the writeDebugLog method. Successful exploitation requires the PHP short_open_tag setting to be enabled, as code injection occurs via the $_SERVER['QUERY_STRING'] variable.
Remediation
Apply the official security patch immediately by upgrading to the patched version of IP.Board (3.1.x, 3.2.x, and 3.3.x Critical Security Update) available from the vendor. If immediate patching is not possible, implement the following temporary mitigations:
1. Disable short_open_tag in php.ini to prevent code execution via query strings
2. Implement strict input validation for cookie data before deserialization
3. Replace unsafe unserialize() calls with secure alternatives that validate data types:
// Instead of:
$data = unserialize($cookie);
// Use JSON for data serialization:
$data = json_decode($cookie, true);
if (!is_array($data)) {
// Handle invalid data
$data = array();
}
4. Monitor web server logs for suspicious activity targeting cache/sh.php or similar paths
5. Review and remove any unauthorized files created in the cache directory