The details of two potentially serious vulnerabilities affecting version 5 of the vBulletin forum software were disclosed by researchers last week. The flaws are currently unpatched, but vBulletin developers have promised to release fixes soon.
The security holes were disclosed via Beyond Security’s SecuriTeam Secure Disclosure program by a researcher from Italy-based security firm TRUEL IT and an expert who has not been named.
One of the vulnerabilities has been described as a file inclusion issue. The flaw affects vBulletin installations that use a Windows-based server, and an unauthenticated attacker can exploit it by sending a specially crafted GET request to index.php.
An attacker can inject malicious PHP code into a file on the server (e.g. access.log) and then “include” that file by manipulating the routestring= parameter in the request. This results in the attacker’s code getting executed.
The second vulnerability, tracked as CVE-2017-17672, has been described as a deserialization issue that can be exploited by an unauthenticated attacker to delete arbitrary files and possibly even execute arbitrary code.
“vB_Library_Template’s cacheTemplates() function is a publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable,” Beyond Security’s advisory explains. “The $temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.”
Detailed technical information and proof-of-concept (PoC) code have been made available for both vulnerabilities.
Beyond Security claims it has been trying to report the vulnerabilities to vBulletin developers since November 21, but has not received any response. vBulletin, on the other hand, told SecurityWeek that it received no email into its ticket system regarding the vulnerabilities until last week. A patch has already been developed and it will be released once it’s tested.
Malicious actors exploiting vBulletin vulnerabilities in the wild is not unheard of. A couple of years ago, researchers had started seeing thousands of daily attempts to exploit a critical flaw less than two weeks after it was patched.