Security researchers have discovered along with disclosed details of two unpatched critical vulnerabilities in a well-liked internet forum software—vBulletin—one of which could allow a remote attacker to execute malicious code on the latest edition of vBulletin application server.
vBulletin is usually a widely used proprietary Internet forum software package based on PHP along with MySQL database server. that will powers more than 100,000 websites on the Internet, including Fortune 500 along with Alexa Top 1 million companies websites along with forums.
The vulnerabilities were discovered by a security researcher via Italy-based security firm TRUEL that will along with an unknown independent security researcher, who disclosed the details of the vulnerabilities by Beyond Security’s SecuriTeam Secure Disclosure program.
The vulnerabilities affect edition 5 of the vBulletin forum software along with are currently unpatched. Beyond Security claims, that will tried to contact vBulletin since November 21, 2017, although received no response via the company.
vBulletin Remote Code Execution Vulnerability
The first vulnerability discovered in vBulletin is usually a file inclusion issue that will leads to remote code execution, allowing a remote attacker to include any file via the vBulletin server along with execute arbitrary PHP code.
An unauthenticated attacker can trigger the file inclusion vulnerability by sending a GET request to index.php with the routestring= parameter within the request, eventually allowing the attacker to “create a crafted request to Vbulletin server installed on Windows OS along with include any file on the web server.”
The researcher has also provided Proof-of-Concept (PoC) exploit code to show the exploitation of the vulnerability. A Common Vulnerabilities along with Exposures (CVE) number has not been assigned to This particular particular vulnerability.
vBulletin Remote Arbitrary File Deletion Vulnerability
The second vulnerability discovered within the vBulletin forum software edition 5 has been assigned CVE-2017-17672 along with described as a deserialization issue that will an unauthenticated attacker can exploit to delete arbitrary files along with even execute malicious code “under certain circumstances.”
The vulnerability is usually due to unsafe usage of PHP’s unserialize() on user-supplied input, which allows an unauthenticated hacker to delete arbitrary files along with possibly execute arbitrary code on a vBulletin installation.
A publicly exposed API, called vB_Library_Template’s cacheTemplates() function, allows fetching information on a set of given templates via the database to store them inside a cache variable.
“$temnplateidlist variable, which can come directly via user-input, is usually directly supplied to unserialize(), resulting in an arbitrary deserialization primitive,” the advisory explains.
Besides technical details, the advisory also includes Proof-of-Concept (PoC) exploit code to explain the severity of This particular vulnerability.
We expect the vendor to Discharge the patch for both the security flaws before hackers started out exploiting them to target vBulletin installations.