Details about a zero-day in the popular internet forum software vBulletin have been published online by an anonymous security researcher.
Following the disclosure, security experts have become concerned that by publishing details about the unpatched vulnerability, the anonymous researcher may have just triggered an incoming wave of forum hacks across the internet that could see hackers take over forums and steal the information contained in them in bulk.
Analysis of the published code has revealed that the zero-day allows an attacker to execute shell commands on a server running a vBulletin installation. The vulnerability is quite severe as an attacker does not even need to have an account on a targeted forum to launch an attack against it.
- Security researcher exposes zero-day WordPress vulnerabilities
- Valve updates bug bounty rules after Steam zero-day controversy
- Researcher exposes VirtualBox zero-day vulnerability
The zero-day discovered in vBulletin is known as a pre-authentication remote code execution vulnerability and it is one of the worst types of security flaw that can impact a web-based platform.
Details about the zero-day in vBulletin were published on the public access mailing list, Full Disclosure (opens in new tab).
Security researchers often disclose vulnerabilities after they've informed a company and given it enough time to patch the flaw. However in this case, it is still unclear as to whether the anonymous researcher reported the vulnerability directly to the vBulletin team or if they disclosed the vulnerability after the company failed to address the issue fast enough. Typically security researchers give businesses at least 90 days to patch vulnerabilities before exposing them publicly.
At the same time, the disclosure could also have been an act of intentional malice or sabotage with the researcher trying to hurt the reputation of MH Sub I, the company behind vBulletin. The researcher was able to conceal their identity when publishing details about the zero-day by using an anonymous email service. However, if the researcher had reported the zero-day directly to the company, they could have received a bug bounty worth $10,000 according to MH Sub I's price chart.
Around 0.1 percent of all internet sites run a vBulletin-powered forum and this number may look small but billions of internet users could be affected by this zero-day. Thankfully though, the zero-day only affects forums running vBulletin 5.x, so forums running earlier versions are safe.
Users in charge of a vBulletin forum should first check to see which version of the software they are running and if they are using the latest version, security researchers have released an unofficial patch (opens in new tab) to mitigate the zero-day.
- Also check out the best antivirus software of 2019