vBulletin zero-day: Critical exploit leaves forum sites open to attack

Incoming!

UPDATE (Nov 26; 09:10 UTC) Developers of vBulletin published a set of patches for versions 5.5.4, 5.5.3 and 5.5.2 of the software designed to block the effectiveness of the recently discovered exploit.

An anonymous researcher has dropped exploit code for a zero-day remote code execution (RCE) vulnerability in vBulletin, the popular internet forum software package.

The exploit – said to work on all versions of vBulletin from 5.0.0 to 5.5.4 (the latest version of the software) – offer a means to inject arbitrary and potentially malicious code onto vulnerable systems.

The PHP template injection attacks works pre-authorization, so there’s no requirement for a potential attacker to obtain a login to any targeted systems before launching attacks.

A number of independent penetration testers and security researchers have confirmed on social media that the exploit works.

The Daily Swig has reached out to vBulletin for comment on how it plans to respond to the as yet unpatched vulnerability.

Prash Somaiya, technical program manager at HackerOne, said that most users are still running older versions of vBulletin, meaning that they are not exposed to this particular risk, even though they have other issues to contend with.

“Having looked into this a little, it looks like the Version 5 of vBulletin that has this issue is only in use by 6.4% of users so this risk is mitigated by… well… being out of date,” Somaiya said.

“That does not mean these sites are safe, as there is a plethora of other vulnerabilities out there that affect versions below 5.0.”

“Admins and site owners using vBulletin should check what version they’re running and, if using Version 5, update it as soon as they can or this trivial issue could cause some major problems,” he advised.

Ilia Kolochenko, founder and chief executive of web security company ImmuniWeb, said site admins who are running the vulnerable forums should consider suspending their use of the software, pending the development and rollout of the necessary security patches.

“Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely while the vendor is working on an emergency patch,” Kolochenko warned.

“This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls will block its exploitation.

He added: “These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software.”

The motives for the spontaneous disclosure of this critical security bug remain unclear, especially since a vulnerability of this type can be worth $10,000 or perhaps more on exploit marketplaces, given the number of high-profile targets using vBulletin forum software.

YOU MIGHT ALSO LIKE Open forum: Unpatched MyBB sites vulnerable to remote takeover