According to the latest research from Italy based security company TRUELIT’s researcher and an independent security expert, the widely used internet forum software vBulletin has two critical yet unpatched security flaws. One of these flaws can lead to letting an attacker remotely execute malicious code on the application server of vBulletin. It must be noted that vBulletin version 5 is affected by these vulnerabilities.
vBulletin impacted by critical flaws
The findings have been disclosed under the SecuriTeam Secure Disclosure program by Beyond Security. Beyond Security noted that after identifying the flaws in late November 2017, it contacted vBulletin but there wasn’t any favorable response from their side. For your information vBulletin is written in PHP and used MySQL based server that hosts over 100,000 websites including Alexa Top 1 Million firms’ websites and some Fortune 500 firms’ websites.
One of the two identified vulnerabilities is a file inclusion flaw that eventually allows remote code execution, through which the attacker can remotely include any vBulletin server file by sending GET command to index.php and routestring= parameter and execute arbitrary PHP code. The attacker can create a customized request that is sent to vBulletin server and includes just about any file available on the web server. This technique can easily be performed on Windows OS.
A proof-of-concept has been provided by the researcher to demonstrate how this vulnerability can be exploited, however, until now the vulnerability hasn’t been assigned a Common Vulnerabilities and Exposures (CVE) number.
The second vulnerability has been assigned CVE number though, which is CVE-2017-17672. This particular flaw is claimed to be a deserialization issue. The issue is caused by the unsafe use of unserialized() on user-supplied input. Through this vulnerability, an attacker can delete arbitrary files on vBulletin installation and also execute malicious code in certain situations.
As per the advisory released by Beyond Security, “vB_Library_Template’s cacheTemplates() function is a publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable. The $temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.”
Although the two flaws haven’t been patched by vBulletin the developers will be releasing fixes soon. The company claims that contrary to Beyond Security’s information that it notified vBulletin on 21 November 2017 no ticket was received about the vulnerabilities and only last week did the company got alerted to the issue.
vBulletin and previous data breaches
In 2016, HackRead exclusively discovered that more than hundred vBulletin based forums were compromised due to vulnerabilities in vBulletin 4.2.2 & 4.2.3. As a result, millions of user accounts were being sold on Dark Web marketplaces.
Now that researchers have publically released the information on existing vulnerabilities vBulletin team needs to come up with a fix without further delay while users need to be vigilant and keep an eye on their forum.