The US security researcher Amir Etemadieh has published a zero-day vulnerability in the forum software vBulletin. He also provides sample code for an exploit in a blog post. An attacker could possibly take complete control of a VBulletin forum without authentication.
Strictly speaking, Etemadieh managed to bypass a patch for a vulnerability in the forum software that had already become known in September 2019. CVE-2019-16759 was fixed within a day by the vBulletin developers, but apparently not completely.
The real flaw is in the vBulletin template system. It allows malicious code to be smuggled in and executed remotely. According to Etemadieh, the patch developed last year does not adequately block remote code execution. He found a very simple way to continue exploiting the same vulnerability. He supports his claim with sample code for an exploit in Bash, Python and Ruby.
The researcher also told ZDNet USA that he had not informed the vBulletin team before publishing his blog entry. The commercial provider of the forum software, MH Sub, was not available for comment.
The publication of the vulnerability last year triggered a wave of hacker attacks on vBulletin forums despite the prompt reaction of the developers. Forums are a popular target for hackers because of the large amounts of user data that they often contain.
Etemadieh also mentions a workaround in his blog entry that forum operators can use to protect themselves from new attacks. In the general settings, the item “Deactivate PHP, static HTML and ad module rendering” must be selected.
However, a patch is now also available. It is available for version 5.60, 5.6.1 and 5.6.2. According to the vBulletin team, older versions must be viewed as vulnerable and should be updated to version 5.6.2.