Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly

Safety researchers have found and disclosed particulars of two unpatched essential vulnerabilities in a well-liked web discussion board software program—vBulletin—one in all which might enable a distant attacker to execute malicious code on the newest model of vBulletin utility server.

vBulletin is a broadly used proprietary Web discussion board software program bundle primarily based on PHP and MySQL database server. It powers greater than 100,000 web sites on the Web, together with Fortune 500 and Alexa Prime 1 million firms web sites and boards.

The vulnerabilities have been found by a safety researcher from Italy-based safety agency TRUEL IT and an unknown unbiased safety researcher, who disclosed the main points of the vulnerabilities by Past Safety’s SecuriTeam Safe Disclosure program.

The vulnerabilities have an effect on model 5 of the vBulletin discussion board software program and are at present unpatched. Past Safety claims, it tried to contact vBulletin since November 21, 2017, however obtained no response from the corporate.

vBulletin Distant Code Execution Vulnerability

The primary vulnerability discovered in vBulletin is a file inclusion problem that results in distant code execution, permitting a distant attacker to incorporate any file from the vBulletin server and execute arbitrary PHP code.

An unauthenticated attacker can set off the file inclusion vulnerability by sending a GET request to index.php with the routestring= parameter within the request, finally permitting the attacker to “create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.”

The researcher has additionally supplied Proof-of-Idea (PoC) exploit code to point out the exploitation of the vulnerability. A Frequent Vulnerabilities and Exposures (CVE) quantity has not been assigned to this explicit vulnerability.

vBulletin Distant Arbitrary File Deletion Vulnerability

The second vulnerability discovered within the vBulletin discussion board software program model 5 has been assigned CVE-2017-17672 and described as a deserialization problem that an unauthenticated attacker can exploit to delete arbitrary information and even execute malicious code “under certain circumstances.”

The vulnerability is because of unsafe utilization of PHP’s unserialize() on user-supplied enter, which permits an unauthenticated hacker to delete arbitrary information and probably execute arbitrary code on a vBulletin set up.

A publicly uncovered API, known as vB_Library_Template’s cacheTemplates() perform, permits fetching info on a set of given templates from the database to retailer them inside a cache variable.