vBulletin bulleted with vulnerabilities #zeroday

Two vulnerabilities affecting version 5 of the popular vBulletin forum CMS were revealed by researchers last week. vBulletin is currently accessed by over 100,000 sites.The vulnerabilities were uncovered by a security researcher from Italy-based security firm TRUEL IT and an hidden independent security researcher, who disclosed the details of the vulnerabilities by Beyond Security’s SecuriTeam Secure Disclosure program.

The first vulnerability was revealed by an independent security researcher, it is described as an unauthenticated file inclusion issue and could lead to remote code execution.vBulletin Forum

The second vulnerability revealed by  the vBulletin forum software version 5 has been assigned CVE-2017-17672 and described as a deserialization issue that an unauthenticated attacker can exploit to delete arbitrary files and even execute malicious code “under some circumstances.
The vulnerability is due to unsafe usage of PHP’s unserialize() on user-supplied input.

vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.

File core/vb/api/template.php – function cacheTemplates():


Let’s take a look at $templateidlist – core/vb/library/template.php – function cacheTemplates():

$temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.

For both vulnerabilities, the researchers released proof-of-concept (PoC) codes and both the vulnerabilities are yet not patched.

Proof of Concept(CVE-2017-17672)

By sending the following POST request an unauthenticated attacker can delete files from the victims’ server




The server then will respond with:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: