back to article This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

An anonymous bug hunter has publicly disclosed a zero-day flaw in the version 5 of the popular vBulletin forum software than can be exploited over the internet to hijack servers. No patch is known to be available. The security hole was revealed last night in a post to the Full Disclosure mailing list: the message exactly …

  1. Temmokan

    So I assume that vBulletin developers spend little to none time actually looking for possible vulnerability flaws.

    Too bad.

    1. Peter 26

      I don't think this classifies as a vulnerability, this is a feature which allows you to run a command on the server from the client. I don't see any way this could be accidental, it's bizarre. It's either a deliberate backdoor or some development code that got into release by accident? The development code part doesn't make any sense either though, why would anyone add remote code execution into a development build?

      1. Michael Wojcik Silver badge

        As a term of art in IT security, "vulnerability" is appropriate for both deliberate backdoors and dangerous development code that was released by accident. A vulnerability need not be a bug. Many vulnerabilities are ill-conceived features.

  2. Anonymous Coward
    Anonymous Coward

    TITSUP

    I note that shell_exec() is a PHP function...

    Total Inability To Stop Using PHP

  3. Anonymous South African Coward Silver badge

    Forum I help to moderate was on vBulletin, but we made the move over to Xenforo.

    vB was dropped due to lackluster support etc.

    1. Stuart 22

      I would ask the Xenforo authors (who authored the original vBulletin) if the shell access was done in their time and if they carried it forward.

      This exploit is particularly dangerous as remaining vBulletin operators are likely to be the less expert admins. Otherwise, as you indicate, they would have migrated to Xenforo too.

      If I was running a vBulletin forum there would be a 'down for maintenance' page showing by now. Has vBulletin notified its users? And did the whistleblower give them adequate time to put a mitigation in place?

      If they didn't then they are worse than hackers, if they did and vBulletin did nothing then vBulletin deserves to be toast.

      1. Captain Scarlet

        If Xenforo staff were from VB they were likely authors of V4, I seem to remember a lot of staff left after they were brought out which I think is before V5.

        If I am wrong feel free to correct.

  4. Stuart 22

    Already exploited

    The vBulletin website still has no warning on its frontpage or anywhere else I could find.

    Yet go to their forum and there are multiple reports of attacks and actual damage (like wiping the MySQL database).. This is criminal of vBulletin to not respond/warn of a known exploit - given that they should be at least reading their own forum. vBulletin customers might be prudently advised to consider whether this is evident of a responsible or trusted provider.

    https://forum.vbulletin.com/forum/vbulletin-5-connect/vbulletin-5-connect-questions-problems-troubleshooting/vbulletin-5-support-issues-questions/4422616-important-vb5-remote-exploit-in-the-wild

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like