vBulletin Forum- An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software, The Hacker News has learned.
One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn’t require authentication.
Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
According to details published on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4.
The Hacker News has independently verified that the flaw works, as described, and affects the latest version of vBulletin software, which eventually leaves thousands of forum websites at risk of hacking.
The vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system.
As a proof-of-concept, the hacker has also released a python-based exploit that could make it easier for anyone to exploit the zero-day in the wild.
So far, the Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability.