Researchers have discovered two critical vulnerabilities in the version 5 of vBulletin forum software and disclosed its details
Researchers have discovered two critical vulnerabilities in the version 5 of vBulletin forum software and disclosed its details.vBulletin is widely used internet forum software which powers more than 100000 websites which includes Fortune 500 and Alexa top 1M firms.The flaw was discovered by a Security researcher from TRUEL IT, an Italy based security firm and an independent security researcher whose name was not revealed.
Read more on: New ATM Malware PRILEX Targets Banks in BRAZILThe first vulnerability discovered is an unauthenticated file inclusion which can lead to remote code execution in vBulletin version 5.The vulnerability allows the attacker to include any file from the vBulletin server and executes an arbitrary PHP code.“An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=.The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.”The second vulnerability (CVE-2017-17672) is described as an unauthenticated deserialization issue which leads to arbitrary delete files and sometimes under certain circumstances can execute malicious codes also.According to researchers “Unsafe usage of PHP’s unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.”
Read more on: New Targeted Attack in Middle East By Exploiting CVE-2017-11882 Microsoft Vulnerability“ vB_Library_Template’s cacheTemplates() function, which is a publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.” said in the post published by the company.Researchers said that they had notified the company about both the vulnerabilities on November 21, 2017, but they did not get any response back from the company.According to reports patched for both vulnerabilities will be released soon by the company and researchers has also released proof of concept codes to explain the severity of the flaws.
Read more on: Android Bug Allows Attackers to Inject Malicious Code and Bypass Apps Signature