vBulletin addresses three new high-severity vulnerabilities

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.