New vBulletin zero-day could infect thousands of sites worldwide

(Image credit: Pixabay)

Details about a zero-day in the popular internet forum software vBulletin have been published online by an anonymous security researcher.

Following the disclosure, security experts have become concerned that by publishing details about the unpatched vulnerability, the anonymous researcher may have just triggered an incoming wave of forum hacks across the internet that could see hackers take over forums and steal the information contained in them in bulk.

Analysis of the published code has revealed that the zero-day allows an attacker to execute shell commands on a server running a vBulletin installation. The vulnerability is quite severe as an attacker does not even need to have an account on a targeted forum to launch an attack against it.

The zero-day discovered in vBulletin is known as a pre-authentication remote code execution vulnerability and it is one of the worst types of security flaw that can impact a web-based platform.

Anonymous disclosure

Details about the zero-day in vBulletin were published on the public access mailing list, Full Disclosure.

Security researchers often disclose vulnerabilities after they've informed a company and given it enough time to patch the flaw. However in this case, it is still unclear as to whether the anonymous researcher reported the vulnerability directly to the vBulletin team or if they disclosed the vulnerability after the company failed to address the issue fast enough. Typically security researchers give businesses at least 90 days to patch vulnerabilities before exposing them publicly. 

At the same time, the disclosure could also have been an act of intentional malice or sabotage with the researcher trying to hurt the reputation of MH Sub I, the company behind vBulletin. The researcher was able to conceal their identity when publishing details about the zero-day by using an anonymous email service. However, if the researcher had reported the zero-day directly to the company, they could have received a bug bounty worth $10,000 according to MH Sub I's price chart.

Around 0.1 percent of all internet sites run a vBulletin-powered forum and this number may look small but billions of internet users could be affected by this zero-day. Thankfully though, the zero-day only affects forums running vBulletin 5.x, so forums running earlier versions are safe.

Users in charge of a vBulletin forum should first check to see which version of the software they are running and if they are using the latest version, security researchers have released an unofficial patch to mitigate the zero-day.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.