Results 1 to 2 of 2

Thread: A Vulnerability in vBulletin Could Allow for Remote Code Execution

  1. #1
    Join Date
    Feb 2017
    Location
    North-East Oregon
    Posts
    253

    Default A Vulnerability in vBulletin Could Allow for Remote Code Execution

    Just wanted to share since I see this site is a vBulletin site. This was just released by MS-ISAC;

    TLP: WHITE

    MS-ISAC CYBERSECURITY ADVISORY

    MS-ISAC ADVISORY NUMBER:

    2019-100



    DATE(S) ISSUED:

    09/27/2019



    SUBJECT:

    A Vulnerability in vBulletin Could Allow for Remote Code Execution



    OVERVIEW:

    A vulnerability has been discovered in vBulletin which could allow for remote code execution when a malicious POST request is sent to the vulnerable application. vBulletin is a software package written in PHP used to create forums. Successful exploitation of this vulnerability could enable the attacker to perform system command execution in the context of the web server hosting the application. Depending on the privileges associated with the vBulletin service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights



    THREAT INTELLIGENCE:

    There are reports of this vulnerability being exploited in the wild.



    SYSTEMS AFFECTED:

    vBulletin versions 5.0.0 to 5.5.4


    RISK:

    Government:

    Large and medium government entities: Medium
    Small government entities: Medium
    Businesses:

    Large and medium business entities: Medium
    Small business entities: Medium
    Home users: NA



    TECHNICAL SUMMARY:

    A vulnerability has been discovered in vBulletin which can allow for remote code execution when a malicious POST request is sent to the vulnerable application. This vulnerability exists due to improper input validation within the widgetConfig[code] parameter when a POST request is sent to the index page of the vBulletin with the routestring, “ajax/render/widget_php”. An attacker can load an arbitrary widget and run code provided within the widgetConfig[code] parameter. Depending on the privileges associated with the vBulletin service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights



    RECOMMENDATIONS:

    We recommend the following actions be taken:

    Apply appropriate updates provided by vBulletin to vulnerable systems, immediately after appropriate testing.
    Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
    Apply the Principle of Least Privilege to all systems and services.


    REFERENCES:



    vBulletin:

    https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4



    SecList:

    https://seclists.org/fulldisclosure/2019/Sep/31



    Ars Technica:

    https://arstechnica.com/information-technology/2019/09/public-exploit-code-spawns-mass-attacks-against-high-severity-vbulletin-bug/



    CVE:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759



    24×7 Security Operations Center

    Multi-State Information Sharing and Analysis Center (MS-ISAC)

    Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)


    TLP: WHITE

    Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

    http://www.us-cert.gov/tlp/


    . . . . .

  2. #2
    Join Date
    Dec 2008
    Location
    australia
    Posts
    822

    Default

    Could be a problem , If the forum had been updated .
    But it is still back in the fourth version .
    Version 4.2.5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •