An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software.
One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn’t require authentication.
Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
According to details published on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4.
The vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system.
As a proof-of-concept, the hacker has also released a python-based exploit that could make it easier for anyone to exploit the zero-day in the wild.
So far, the Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability.
The Hacker News has also informed vBulletin project maintainers about the vulnerability disclosure and expect them to patch the security issue before hackers started exploiting them to target vBulletin installations.
- vBulletin Releases Patch Update for New RCE and SQLi Vulnerabilities
- Comodo Forums Hack Exposes 245,000 Users’ Data — Recent vBulletin 0-day Used
- Hackers Actively Exploiting Latest Drupal RCE Flaw Published Last Week
- Critical Flaws in ‘OXID eShop’ Software Expose eCommerce Sites to Hacking
- Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers