The details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin was revealed by an anonymous hacker.
This vulnerability is considered as a severe issue because it is remotely exploitable and also does not require any authentication.
vBulletin is one of the widely used proprietary internet forum software package which is written in PHP and powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies’ websites and forums.
As per the details published on the Full Disclosure mailing list, the hacker claims that he has found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 up to the latest 5.5.4.
The vulnerability resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters and then parse them on the server without proper safety checks, allowing attackers to inject commands and remotely execute code on the system.
The hacker also released a python-based exploit as proof-of-concept which makes it easier for anyone to exploit the zero-day in the wild.
The Common Vulnerabilities and Exposures (CVE) number has not been assigned to the vulnerability so far.
The vBulletin project maintainers have been informed regarding the vulnerability disclosure and it is expected that patch will be released before hackers start to exploit them to target vBulletin installations.