Pierluigi Paganini October 09, 2019

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]