vBulletin zero-day flaw can allow hackers to remotely execute arbitrary code


Security researcher discloses an unpatched vulnerability in vBulletin, hackers use the PoC to take attack DefCon Forum within hours

Security researcher Amir Etemadieh aka Zenofex has revealed an unpatched zero-day in vBulletin that can be used by threat actors for remote code execution. vBulletin is very popular forum software. It is considered to be one of the best bulletin board applications you can use on your website. vBulletin is written in PHP and requires a MySQL database. It is a paid application and offers regular security updates.

Last year in September, a security researcher disclosed a zero-day flaw in vBulletin v5.x through to v5.5.4.  The zero-day allowed hackers to remotely execute arbitrary code via the widgetConfig[code]parameter in an ajax/render/widget_php route string request. The flaw allowed potential hackers to execute malicious commands on the remote server without requiring any authentication to log into the forum. The zero-day was issued a unique identifier,  CVE-2019-16759 with a very high rating of 9.8/10, and was patched by vBulletin devs on 25th September 2019. A PoC of the exploit was published on 23rd September 2019 on SecLists.

Zenofex found that the patch issued for CVE-2019-16759 could be bypassed and hackers could remotely execute arbitrary code like the earlier zero-day. The zero-day vulnerability found by Zenofex can be remotely exploited and doesn’t require any authentication to log into the target forum.

Zenofex says that the vBulletin patch for CVE-2019-16759 did not resolve the issues present in the “widget_tabbedcontainer_tab_panel” template and this could be exploited easily to gain complete control of the vBulletin forum.

PoC of vBulletin zero-day

Zenofex says that a one-line command line exploit is as simple as the following could exploit this particular zero-day. He has also written a Bash script, Python script, and made a Metasploit Module to exploit this vBulletin zero-day.

Short Term Fix for the vBulletin zero-day

Zenofex has also given a fix for this vulnerability on his blog. He says that the workaround disables PHP widgets within your forums and may break some functionality but will keep you safe from attacks until a patch is released by vBulletin.

  1. Go to the vBulletin administrator control panel.
  2. Click “Settings” in the menu on the left, then “Options” in the dropdown.
  3. Choose “General Settings” and then click “Edit Settings”
  4. Look for “Disable PHP, Static HTML, and Ad Module rendering”, Set to “Yes”
  5. Click “Save”

Within minutes of Zenofex revealing the PoC on his website, the Defcon forum was taken down by unknown hackers using the very same flaw.

Patch for the zero-day by vBulletin

The vBulletin team also took cognizance of Zenofex’s findings and released a temporary security patch. The security patch released by vBulletin devs disables the PHP module in vBulletin software temporarily till the flaw is fixed completely. The devs have assured vBulletin users that the flaw will completely be patched in the future release of vBulletin 5.6.4.

Here is how you can apply the vBulletin patch:

The security fix for the zero-day is available for the following versions of vBulletin Connect:

  • 5.6.2
  • 5.6.1
  • 5.6.0

Installing the Patch

  1. Download the appropriate files for your version of vBulletin 5.6.X from here.
  2. Upload all files found within the zip file. Make sure to overwrite the existing files on your server.
  3. The devs have said that all older versions should be considered vulnerable. Sites running older versions of vBulletin need to be upgraded to vBulletin 5.6.2 as soon as possible.

About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments