vBulletin Vulnerable To Code Execution & File Deletion Flaws

Last week, security researchers have published the details of two possibly critical flaws affecting version 5 of the vBulletin forum software.

vBulletin is the most popular forum software, which is based on PHP and MySQL database server. It’s currently used by over 100,000 websites, including Fortune 500 and Alexa Top 1 million organizations websites and forums.

The first security flaw (tracked as CVE-2017-17672) found in vBulletin installations that use a Windows-based server, and an unauthenticated attacker can exploit it by sending a specially crafted GET request to index.php.

This vulnerability give the attacker the ability to inject malicious PHP code into a file on the server and then “include” that file by manipulating the routestring= parameter in the request. This results in the attacker’s code getting executed.

The second security flaw (tracked as CVE-2017-17672), it can be exploited by an unauthenticated user to remove arbitrary files and probably even execute arbitrary code.

“Unsafe usage of PHP’s unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.” states the security advisory.

“vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.”

Detailed technical information and proof-of-concept (PoC) code for both flaws have been published online.