THN

vBulletin Releases Patch Update for New RCE and SQLi Vulnerabilities

vBulletin hacking exploitvBulletin hacking exploit

After releasing a patch for a critical zero-day remote
code execution vulnerability late last month, vBulletin has
recently published a new security patch update that addresses 3
more high-severity vulnerabilities in its forum software.

If left unpatched, the reported security vulnerabilities, which
affect vBulletin 5.5.4 and prior versions, could eventually allow
remote attackers to take complete control over targeted web servers
and steal sensitive user information.

Written in PHP, vBulletin is a widely used proprietary Internet
forum software package that powers over 100,000 websites on the
Internet, including Fortune 500 and Alexa Top 1 million companies
websites and forums.

Discovered by application security researcher Egidio Romano, the
first vulnerability, tracked as CVE-2019-17132, is a remote code
execution flaw, while the other two are SQL injection issues, both
assigned a single ID as CVE-2019-17271.

vBulletin RCE and SQLi Flaws

The RCE flaw resides in the way vBulletin forum handles user
requests to update avatars for their profiles, an icon or graphical
representation of the user, allowing a remote attacker to inject
and execute arbitrary PHP code on the target server through
unsanitized parameters.

However, it should be noted that this vulnerability is not
exploitable in the default installation of the vBulletin forum,
rather exploitation is possible when “Save Avatars as Files” option
is enabled by the website administrator.

Romano has also released a public proof-of-concept
exploit[4] for this RCE
vulnerability.

The other two vulnerabilities are read in-band and time-based
SQL injection issues that reside in two separate endpoints and
could allow administrators with restricted privileges to read
sensitive data from the database, which they otherwise may not be
allowed to access.

vbulletin security vulnerabilitiesvbulletin security vulnerabilities

Since these two SQL injection flaws can not be exploited by any
registered user and require special permissions, vBulletin forum
administrators and users need not to panic.

Security Patches Released

Romano responsibly reported all the vulnerabilities to the
vBulletin project maintainers just last week on September 30, and
the team acknowledged his findings and released the following
security patch
updates that address the reported flaws.

  • vBulletin 5.5.4 Patch Level 2
  • vBulletin 5.5.3 Patch Level 2
  • vBulletin 5.5.2 Patch Level 2

Administrators are highly recommended to apply the security
patch before hackers started exploiting the vulnerabilities to
target their forum users—just like someone did last week to steal
login information of nearly 245,000
Comodo Forums[6]
users after the company failed to apply available patches on
time.

[1][2][3][5]

References

  1. ^
    zero-day remote code execution
    vulnerability     (thehackernews.com)
  2. ^
    CVE-2019-17132
    (karmainsecurity.com)
  3. ^
    CVE-2019-17271
    (karmainsecurity.com)
  4. ^
    proof-of-concept exploit
    (karmainsecurity.com)
  5. ^
    security patch updates
    (forum.vbulletin.com)
  6. ^
    nearly 245,000 Comodo Forums
    (thehackernews.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App