Two code execution vulnerabilities affecting version 5 of the popular vBulletin forum CMS were disclosed by researchers last week via Beyond Security’s SecuriTeam Secure Disclosure program.
vBulletin is currently used by over 100,000 sites, including Fortune 500 and Alexa Top 1M companies websites and forums.
The flaws were discovered by an expert at the Italy-based security firm TRUEL IT and an expert who has not been named.
The vulnerabilities are still unpatched, but the vBulletin development team is going to fix them as soon as possible.
The first vulnerability was reported by an independent security researcher, it is described as an unauthenticated file inclusion issue and could lead to remote code execution.
An attacker can include malicious PHP code into a file on the server, for example the access.log, and then include that file by manipulating the routestring= parameter in a specifically crafted request that can result in the attacker’s code getting executed.
“vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code.
An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=.” reads the security advisory.
“The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.”
The second vulnerability, tracked as CVE-2017-17672, has been described as an unauthenticated deserialization flaw.
The flaw, reported by a security researcher from, TRUEL IT ( @truel_it ), can be exploited by an unauthenticated attacker to delete arbitrary files and possibly even execute arbitrary code.
“Unsafe usage of PHP’s unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.” states the security advisory.
“vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.”
For both vulnerabilities, the researchers released proof-of-concept (PoC) codes.
Beyond Security claims it has first reported the issues to the vBulletin development team on November 21, but has not received any response.
According to SecurityWeek, the development team has already developed a patchand it is testing it.
“vBulletin, on the other hand, told SecurityWeek that it received no email into its ticket system regarding the vulnerabilities until last week. A patch has already been developed and it will be released once it’s tested.” reported SecurityWeek.
(Security Affairs – vBulletin, hacking)