Remote code execution-zeroday in forum software vBulletin has been put online

An anonymous security researcher has published a zero day for vBulletin. The popular forum creation software had a vulnerability that allowed remote code execution on the affected server.

The bug hunter posted details about the vulnerability on the Full Disclosure mailing list. In any case, the vulnerability would work on all versions of vBulletin from 5.0.0 to 5.5.4. This is a remote code execution vulnerability that allows an attacker to execute an HTTP POST request on the server running vBulletin. Moreover, no further authentication is required. An attacker does not need an account on that forum.

It is also striking how relatively easy the leak is to exploit. You can do that by entering a command in just twenty lines of Python code. Several security researchers have discovered the leak tested and conclude that the exploit does indeed work. The first vulnerable version, 5.0.0, was released in 2012.

There is currently no patch available for the vulnerability. Besides the operation of the exploit, the discoverer gives few details about how he discovered the leak. It is also not clear whether he made responsible disclosure and informed vBulletin first, or whether he just put the leak online. vBulletin itself has not yet responded.

The company’s software is used by some large companies. The well-visited Bodybuilding.com forum and the Steam, EA, Sony and NASA forums run on vBulletin.