CVE-2016-6174
Description
An unauthenticated PHP code injection in IPS Community Suite ≤4.1.12.3 via the content_class parameter, requiring PHP before 5.4.24 or 5.5.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated PHP code injection in IPS Community Suite ≤4.1.12.3 via the content_class parameter, requiring PHP before 5.4.24 or 5.5.8.
Vulnerability
The vulnerability resides in the /applications/core/modules/front/system/content.php script of IPS Community Suite (Invision Power Board) versions 4.1.12.3 and prior [2][3]. User input supplied through the content_class request parameter is used to construct a class name without proper sanitization (line 38: $class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) );). This crafted class name is then passed to the class_exists() function at line 40. The exploit leverages an autoloading function in /applications/cms/Application.php (line 171–174) that performs an eval() on user-controlled data when the class name starts with IPS\cms\Fields and is followed by a numeric value. Successful exploitation requires the application to run on PHP versions before 5.4.24 or 5.5.x before 5.5.8 [2][3][4].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a crafted HTTP GET request to a vulnerable IPS Community Suite instance [2][4]. The request must target the index.php with parameters app=core&module=system&controller=content&do=find and a malicious content_class value such as cms\Fields1{}phpinfo();/* [2][3][4]. No prior authentication or special network position is required; the attack can be carried out remotely. The vulnerable code path is reachable immediately upon sending the request, with no user interaction needed [2].
Impact
Successful exploitation allows remote, unauthenticated attackers to inject and execute arbitrary PHP code on the web server [2][3][4]. This grants the attacker full control over the affected application and potentially the underlying server, depending on the PHP and web server configuration. The impact includes complete compromise of confidentiality, integrity, and availability (CIA) of the IPS Community Suite instance and any data it processes [2]. The attacker can execute system commands, read/write sensitive files, and pivot to other internal systems.
Mitigation
IPS Community Suite version 4.1.13 (released on 2016-07-05) fixes the vulnerability [2][3][4]. The vendor released this patched version one day after being notified, addressing the issue by properly sanitizing the content_class parameter [2][4]. All users running versions 4.1.12.3 or earlier must upgrade to 4.1.13 or later. No workarounds are documented in the available references, and this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. If upgrading is not immediately possible, applying a web application firewall (WAF) rule to block malicious content_class values may serve as a temporary mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <4.1.13
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the content_class parameter allows an attacker to inject arbitrary class names that reach an eval() call in the CMS autoloader."
Attack vector
An unauthenticated remote attacker sends an HTTP GET request to the content controller endpoint with a crafted `content_class` parameter [ref_id=1]. The input is not sanitized before being used to construct a class name that is passed to `class_exists()`, which triggers PHP's autoloading mechanism [ref_id=1][ref_id=2]. The autoloader in `applications/cms/Application.php` checks if the class name starts with `IPS\cms\Fields` followed by a numeric character; if so, it passes the numeric suffix into an `eval()` statement, allowing arbitrary PHP code execution [ref_id=1][ref_id=3]. The attack requires PHP before version 5.4.24 or 5.5.x before 5.5.8 [ref_id=1][ref_id=2]. The proof-of-concept URL is: `http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*` [ref_id=1][ref_id=2][ref_id=3].
Affected code
The vulnerable code is in `/applications/core/modules/front/system/content.php` at line 38, where user input from the `content_class` request parameter is unsafely concatenated into a class name: `$class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) )` [ref_id=1][ref_id=2][ref_id=3]. The attacker-controlled class name is then passed to `class_exists()` at line 40, which triggers PHP's autoloader. The dangerous autoloading function resides in `/applications/cms/Application.php` at lines 171-174, where a crafted class name matching `IPS\cms\Fields` followed by a numeric character leads to an `eval()` call [ref_id=1][ref_id=2][ref_id=3].
What the fix does
The advisory states that the vendor fixed the vulnerability in version 4.1.13 [ref_id=1][ref_id=2][ref_id=3]. No patch diff is included in the bundle, so the exact code change is not visible. The remediation guidance is to update to IPS Community Suite 4.1.13 or later [ref_id=1][ref_id=2][ref_id=3].
Preconditions
- configThe application must be running on PHP before version 5.4.24 or 5.5.x before 5.5.8
- authNo authentication required; the vulnerable endpoint is accessible to unauthenticated users
- networkAttacker must be able to send HTTP requests to the IPS Community Suite web application
- inputAttacker supplies a crafted content_class parameter in the HTTP request
Reproduction
Send the following HTTP request to the target: `http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*` [ref_id=1][ref_id=2][ref_id=3]. The `content_class` parameter value `cms\Fields1{}phpinfo();/*` triggers the autoloader's `eval()` call, executing `phpinfo()` as a proof of concept [ref_id=1][ref_id=3].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- karmainsecurity.com/KIS-2016-11nvdExploit
- seclists.org/fulldisclosure/2016/Jul/19nvdExploit
- lists.apple.com/archives/security-announce/2016/Sep/msg00006.htmlnvd
- packetstormsecurity.com/files/137804/IPS-Community-Suite-4.1.12.3-PHP-Code-Injection.htmlnvd
- www.securityfocus.com/bid/91732nvd
- invisionpower.com/release-notes/4113-r44/nvd
- support.apple.com/HT207170nvd
- www.exploit-db.com/exploits/40084/nvd
News mentions
0No linked articles in our index yet.