Critical zero-day exploit for vBulletin forum publically disclosed by anonymous researcher

Security flaw affects version 5 of the vBulletin forum software

An anonymous security researcher has publically revealed details about an unpatched, zero-day vulnerability affecting vBulletin - one of the most popular web forum applications.

The flaw affects version 5 of the vBulletin forum software and could be exploited by hackers to take over vulnerable web forums.

The hacker revealed details about this "pre-authentication remote code execution" weakness in a post to the Full Disclosure mailing list, without disclosing their actual email address. Proof-of-concept code that could be used to exploit the zero-day flaw in the wild was also published.

The post explained how attackers could use a simple HTTP POST request to remotely execute a shell command, without authentication, on targeted vBulletin server. That would enable an attacker to hijack the web server running the forum software, launch attacks on other machines, modify and steal sensitive information, and so on.

https://twitter.com/notdan/status/1176551984037543936?ref\\_src=twsrc%5Etfw

The vulnerability appears to affect vBulletin versions 5.0.0 up to the latest 5.5.4. No patch is currently available to fix the security flaw.

vBulletin is one of the most popular web forum software package powering over 100,000 websites. It was launched in 2012 and, despite being a commercial product, it has a larger user base than open-source products, such as XenForo, phpBB, MyBB, Simple Machines Forum, and others.

It is not known whether the anonymous researcher had earlier notified vBulletin team about the vulnerability, or if the vBulletin team's failure to address the issue prompted the researcher to disclose the flaw publicly.

Because details of the unpatched vulnerability are now in public domain, security experts are concerned that hackers could soon start attacking web forums across the internet in an effort to steal sensitive user information in bulk.

They have also advised websites running vBulletin version 5 to closely watch their servers to ensure that nobody exploits the vBulletin vulnerability to carry out attacks on their websites.