The developers of vBulletin have released a patch to the popular forum software that fixes a remote code execution vulnerability that could be used by attackers to compromise vBulletin sites. The vulnerability has been available on vulnerability marketplaces for some time, and – in the spirit of full disclosure – a proof of concept and details of the vulnerability were released by Check Point. In consequence, the existence of this vulnerability and the mechanism for its exploitation are public knowledge – unpatched vBulletin sites are at risk of compromise.
Patches are available for recent versions of vBulletin. It’s believed — but not yet confirmed by vBulletin – that the vulnerability is related to the recent compromise of vBulletin.com, in which over 300 thousand sets of user data were exfiltrated by an attacker. Members at vBulletin.com will be required to change their password to access the patch, if they have not done so already.
This vBulletin vulnerability is particularly serious because it is both a remote code execution vulnerability and quite simple to exploit. It has been observed in the wild by Sucuri.
vBulletin is an enormously popular forum application. It’s used by 78% of forums in the top 100-thousand sites, including numerous prominent forums with many hundreds of thousands of users.
The timeline for the discovery of the vulnerability is somewhat complicated. Check Point revealed that the vulnerability was originally reported to vBulletin at the start of October and the patch was released at the beginning of this month. In the meantime, the forum at vBulletin.com was compromised. A hacker with the name Coldzer0 claimed responsibility for the attack, in addition to being responsible for listing the vulnerability on a site selling exploits. After the vBulletin patch was released, another individual published details of a vulnerability that has been in circulation for some time. These vulnerabilities, if exploited, may allow the almost complete takeover of a vBulletin and the loss of sensitive user data. vBulletin sites should be patched as soon as possible.
If you’re interested in understanding the full details of the vulnerability, take a look at the Check Point post. In a nutshell, the vulnerability is caused by the way the vBulletin API is implemented. Because it neither verified the origin of requests nor whitelisted arguments, it was possible for an attacker to inject code into the API that, among other things, could delete files that the web server has access to or execute arbitrary PHP code.Posted in: Security