Two vulnerabilities affecting version 5 of the popular vBulletin forum CMS were revealed by researchers last week. vBulletin is currently accessed by over 100,000 sites.The vulnerabilities were uncovered by a security researcher from Italy-based security firm TRUEL IT and an hidden independent security researcher, who disclosed the details of the vulnerabilities by Beyond Security’s SecuriTeam Secure Disclosure program.
The second vulnerability revealed by the vBulletin forum software version 5 has been assigned CVE-2017-17672 and described as a deserialization issue that an unauthenticated attacker can exploit to delete arbitrary files and even execute malicious code “under some circumstances.
The vulnerability is due to unsafe usage of PHP’s unserialize() on user-supplied input.
vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.
File core/vb/api/template.php – function cacheTemplates():
Let’s take a look at $templateidlist – core/vb/library/template.php – function cacheTemplates():
$temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.
For both vulnerabilities, the researchers released proof-of-concept (PoC) codes and both the vulnerabilities are yet not patched.
Proof of Concept(CVE-2017-17672)
By sending the following POST request an unauthenticated attacker can delete files from the victims’ server
The server then will respond with: