vBulletin hacking exploit

After cathartic a patch for a decisive zero-day remote code execution vulnerability tardily lastly month, vBulletin has of late promulgated a novel safety patch replace that addresses three more than high-severity vulnerabilities inch its assembly package.



If ill unpatched, issues reported safety vulnerabilities, which list vBulletin 5.5.four and prior variations, might finally quota removed attackers to take finish command across focused spider web servers and steal tender exploiter info.



Hand inch PHP, vBulletin is a wide worn proprietorship Net assembly package bundle that powers across 100,000 web sites along issues Net, together with Fortune 500 and Alexa Prime one million firms web sites and boards.



Found past software safety investigator Egidio Romano, issues first exposure, tracked equally CVE-2019-17132, is a removed code execution fault, spell issues different 2 ar SQL injectant points, each assigned a i ID equally CVE-2019-17271.




vBulletin RCE and SQLi Flaws




Issues RCE fault resides inch issues approach vBulletin assembly handles exploiter requests to replace avatars for his or her profiles, an picture oregon graphic illustration of issues exploiter, permitting a removed assailant to interpose and make arbitrary PHP code along issues goal waiter done unsanitized parameters.



Nevertheless, it ought to live famous that this exposure is non exploitable inch issues nonpayment set up of issues vBulletin assembly, before exploitation is feasible once "Preserve Avatars equally Information" choice is enabled past issues web site executive.



Romano has besides discharged a people proof-of-concept exploit for this RCE exposure.



Issues different 2 vulnerabilities ar learn in-band and time-based SQL injectant points that reside inch 2 separate endpoints and will quota directors with qualified privileges to learn tender information from issues database, which they differently whitethorn non live allowed to entry.




vbulletin security vulnerabilities



Since these 2 SQL injectant flaws tin can non live used past whatsoever registered exploiter and require particular permissions, vBulletin assembly directors and customers demand non to man.

Web Application Firewall



Safety Patches Discharged




Romano responsibly reported all issues vulnerabilities to issues vBulletin projection maintainers simply lastly calendar week along Sep 30, and issues squad acknowledged his findings and discharged issues next security patch updates that tackle issues reported flaws.






  • vBulletin 5.5.four Patch Degree 2

  • vBulletin 5.5.three Patch Degree 2

  • vBulletin 5.5.Two Patch Degree 2






Directors ar extremely suggested to use issues safety patch earlier hackers began exploiting issues vulnerabilities to focus on their assembly customers—simply lips somebody did lastly calendar week to steal login info of nearly 245,000 Comodo Forums customers after issues firm failing to use uncommitted patches along clock.



Hold one thing to say around this story? Remark beneath oregon percentage it with usa along Facebook, Twitter oregon our LinkedIn Group.