An RCE vulnerability was discovered in vBulletin.


Yesterday in public access there was a mention of a found vulnerability in the vBulletin forum engine, as well as details of this 0day bug. Vulnerability was assigned identifier CVE-2019-16759 today   Vulnerable versions are vBulletin 5.x (from 5.0.0 up to the latest 5.5.4). The found bug belongs to the pre-auth RCE category, that is, it does not even require registering an account on the forum for successful operation (a simple HTTP POST request is enough). It is reported that this RCE vulnerability allows a hacker to execute shell commands on a server with vBulletin.   The widgetConfig [code] parameter in the ajax / render / widget_php file turned out to be vulnerable. A detailed description of the problem is available on Github.   Users have already begun to actively complain about hacking forums and deleting user databases:       This is not surprising, because the vulnerability exploit itself, Google dork, and even an automated script to search for vulnerable vBulletin were publicly available. That is, a complete set for the implementation of dirty tricks with the hands of a violin kid and other juvenile delinquents. And, given the ease of operation of the bug, this becomes generally dangerous.   And the most unpleasant thing about this is all that, as it turned out, has been known about the vulnerability for more than 3 years. According to the head of Zerodium on Twitter, for his “customers” this vulnerability has been available for purchase since 2016. That is, government hackers could well use this vulnerability for their own purposes and for attacks on objectionable forums, public activists and resources, which further raises the issue of the legality of the functioning of organizations such as Zerodium.   The only good news is that vBulletin developers have already released the patch. I highly recommend urgently updating your vBulletin. For those who for some reason cannot install the official patch, an unofficial fix is ​​available.   I remind you, as of 2019, 0.1% of all Internet sites work on the basis of vBulletin.