An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software, The Hacker News has learned.
One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn’t require authentication.
Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
According to details published on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4.
The Hacker News has independently verified that the flaw works, as described, and affects the latest version of vBulletin software, which eventually leaves thousands of forum websites at risk of hacking.
The vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system.
As a proof-of-concept, the hacker has also released a python-based exploit that could make it easier for anyone to exploit the zero-day in the wild.
So far, the Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability.
The Hacker News has also informed vBulletin project maintainers about the vulnerability disclosure and expect them to patch the security issue before hackers start exploiting it to target vBulletin installations.
A separate cybersecurity researcher analyzed the core reason of this vulnerability and posted details soon after The Hacker News publish the article.
Meanwhile, a GitHub user also released a simple script that could let anyone scan the Internet to find vBulletin websites using Shodan search engine and automatically check for vulnerable sites.
We will update the article and inform the readers via social media as soon as we hear back from the vBulletin maintainers.
Update — Hackers Actively Exploiting vBulletin Zero-Day; Patches Now Available
According to multiple infosec community sources in contact with The Hacker News, various hacking groups and individual bug hunters have already started scanning the Internet to target vulnerable vBulletin websites.
After The Hacker News broke the news and informed the vBulletin team about the zero-day public disclosure, now tracked as CVE-2019-16759, the project maintainers today released security patches for vBulletin versions 5.5.2, 5.5.3, and 5.5.4.