vBulletin Zero-Day revealed to be exploited for years. Company releases unofficial patch

vBulletin Zero-Day revealed to be exploited for years. Company releases unofficial patch

Posted 30th September, 2019 by Nadejda

A zero-day exploit for the popular forum vBuletin has been publicly disclosed and used to attack the affected version of the forum. It was later revealed that this exploit has been known and exploited by hackers for years.

A user disclosed publicly a zero-day remote code execution on vBulletin’s Full Diclosure security mailing list. This critical vulnerability allows attackers to execute any command on the website, download malicious software or tamper with the site’s code.

A lot of users have reported their forums being attacked using this vulnerability, with one even claiming that their entire forum database has been deleted. Thousands of high-profile companies and organizations are using this forum software such as NASA, EA, Pearl Jam, Sony Pictures and many more.

vBulletin has responded with the release of an unofficial patch, which can be downloaded here.

The remote code vulnerability exits in the includes/vb5/frontend/controller/bbcode.php file, and it’s caused by evalCode ($code) function, which evaluates JavaScript code represented as a string.

When the function is executed, it can launch any command passed in the $code using the eval () function. This can be any available command like adding users, downloading or executing files and scripts. However, a very easy patch was created to fix the issue. It comments out the eval () statement in the evalCode function.

You can add the patch yourself by editing the file includes/vb5/frontend/controller/bbcode.php.

You will see the function:



Edit the function so that the evalcode is commented out like this:



Once this is done, this vulnerability will no longer be an issue and

cannot be exploited. vBulletin strongly advised that users apply this patch immediately.



Known for years

After this news made headlines, the CEO of Zerodium, an American information security company, Chaouki Bekrar, took to twitter to share that his team has known about this exploit for 3 years, and a great number of researches have made profit by selling the exploit.



While the public disclosure of the vulnerability has increased the attacks, it has most likely already been used for years.

A zero-day exploit for the popular forum vBuletin has been publicly disclosed and used to attack the affected version of the forum. It was later revealed that this exploit has been known and exploited by hackers for years.

Categories: Wordpress, Hosting, Website Security