An unidentified security researcher has published details of a zero-day vulnerability in vBulletin, the world’s most popular Internet forum software.
The exposure of this unpatched vulnerability could see a slew of forum hacks across the Internet, with attackers taking over forum installations and stealing massive amounts of user data.
Some users have already reported having their forums attacked via this exploit, with one claiming it was used to delete his forum database.
An analysis of the published code revealed the zero-day exploit enables a hacker to execute shell commands on the server running a vBulletin installation, which could allow them to download malware or tamper with the site's code without needing to have an account on the forum in question.
This is known as a 'pre-authentication remote code execution' vulnerability, one of the most dangerous flaws that can impact an entire Web-based platform.
Ryan Seguin, a researcher from Tenable, said in his blog that this exploit works on default configurations of vBulletin. “Based on the public proof of concept, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilising. Depending on the service user’s permissions, this could allow complete control of a host.”
Apply the patch
A patch has been issued by vBulletin for the vulnerability (CVE-2019-16759) for versions 5.5.2, 5.5.3 and 5.5.4. Seguin said users of earlier versions of vBulletin 5.x will need to update to one of the currently supported versions in order to apply the patch.
“vBulletin cloud users don’t need to perform any additional actions as the fix has already been applied to the cloud version,” he added.
Ilia Kolochenko, founder and CEO of Web security company ImmuniWeb, says this vulnerability is surprisingly easy to exploit.
“Sadly, very few Web application firewalls will block its exploitation. These days, security flaws exploitable in a default configuration and without authentication are very rare in such well-established Web software. We can expect a tornado of automated hacking and Web server backdooring campaigns to start now.”
Kolochenko advises Web site owners running the vulnerable versions to urgently shut down their vBulletin forums until the patch has been applied.
The motives of spontaneous disclosure of this vulnerability remain unclear, as vulnerabilities of this nature are worth quite a lot on the dark Web, adds Kolochenko, particularly given the large number of high-profile targets (companies that would be attractive to cyber crooks) that use vBulletin.
“It could be a junior security enthusiast showcasing his or her skills for fun, or it could be a professional cyber gang distracting everyone’s attention from something else.”
Share