A Vulnerability in vBulletin Could Allow for Remote Code Execution

ITS Advisory Number: 
2019-100 - UPDATED
Date(s) Issued: 
Friday, September 27, 2019
Date Updated: 
Friday, August 14, 2020
Subject: 
A Vulnerability in vBulletin Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in vBulletin which could allow for remote code execution when a malicious POST request is sent to the vulnerable application. vBulletin is a software package written in PHP used to create forums. Successful exploitation of this vulnerability could enable the attacker to perform system command execution in the context of the web server hosting the application. Depending on the privileges associated with the vBulletin service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

ORIGINAL THREAT INTELLIGENCE:

There are reports of this vulnerability being exploited in the wild.

 

August 14 - UPDATED THREAT INTELLIGENCE:

A proof of concept was unveiled that would allow an attacker to bypass the previous fix.

 

Systems Affected: 

  • vBulletin versions 5.0.0 to 5.5.4

August 14 - UPDATED SYSTEMS AFFECTED:

  • vBulletin versions 5.0.0 to 5.6.2

RISK
GOVERNMENT
Large and medium government entities: 
Medium
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
Medium
Small business entities: 
Medium
Home Users: 
N/A
Description: 

A vulnerability has been discovered in vBulletin which can allow for remote code execution when a malicious POST request is sent to the vulnerable application. This vulnerability exists due to improper input validation within the widgetConfig[code] parameter when a POST request is sent to the index page of the vBulletin with the routestring, "ajax/render/widget_php". An attacker can load an arbitrary widget and run code provided within the widgetConfig[code] parameter. Depending on the privileges associated with the vBulletin service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

  • After appropriate testing, immediately apply updates provided by vBulletin to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

ORIGINAL REFERENCES:
vBulletin:
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-anno...

SecList:
https://seclists.org/fulldisclosure/2019/Sep/31

Ars Technica:
https://arstechnica.com/information-technology/2019/09/public-exploit-co...

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759

August 14 - UPDATED REFERENCES
vBulletin:
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-anno...

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now