vBulletin forums need to be patched asap to avoid attackers to scan servers hosting the CMS and remotely execute arbitrary code.
Hackers breached the Steam’s Dota 2 forums and have leaked a couple of million credentials (the archive contains MD5-hashed passwords), but what is happening to forums based on the popular vBulletin CMS?
vBulletin forum administrators need to patch their platforms, the security updates fix multiple server-side request forgery bugs in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3.
A simple Google search reports that at least 18 million sites are based on the vBulletin CMS.
The flaws could be exploited by hackers to get access to services such as email and cache management.
The security expert Dawid Golunski confirmed the business impact of the flaw in a security advisory.
“The vulnerability can expose internal services running on the server/within the local network. If not patched, unauthenticated attackers or automated scanners searching for vulnerable servers could send malicious data to internal services.” wrote Golunski. “Depending on services in use, the impact could range from sensitive information disclosure, sending spam, DoS/data loss to code execution as demonstrated by the PoC exploit in this advisory.”
The researchers pointed a portion of the vBulletin codebase that accepts redirects from the target server specified in a user-provided link allowing HTTP redirects.
“HTTP redirects are also prohibited however there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link. The code is used to upload media files within a logged-in user’s profile and can normally be accessed under a path similar to:
By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost.
This introduces a Server Side Request Forgery (SSRF) vulnerability.”
The security advisory also includes proof-of-concept code.
Back to the data breach of Dota 2 forums, it was based on a simple SQL injection attack. Leakedsource.com, that first reported the incident, confirmed that it has already converted 80% of the more than 1.9 million passwords.
If you are running a vBulletin forum, patch it now.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.