A security researcher has found a technique to bypass the patch provided for securing a zero-day bug in vBulletin, one of the largest online forum softwares. The bug can be exploited for executing remote code and taking over the forums without authentication. While this was discovered last year, a patch was made available last year. But now, a bypass trick for that is found.

vBulletin Zero-day Vulnerability Exploited!

vBulletin is one of the largest online forum softwares used today by many companies. It lets you create simple and resourceful discussion boards for a topic or a group. These are lucrative targets, as they hold extensive information about usersโ€™ personal data, their messages, and even financial information if transacted for a paid online forum.

Even the smallest of forums have hundreds or thousands of users, making it a useful target over other content management sites like WordPress or Joomla. While this being the case, a zero-day bug (CVE-2019-16759) was found in vBulletin on September 24th, last year, but has a patch made available the very next day. Yet, itโ€™s not adequate as per a new report.

Amir Etemadieh, an Austin-based security researcher said the earlier patch for CVE-2019-16759 vulnerability wasnโ€™t secure enough, as heโ€™s able to exploit the patch and achieve the same results. Even before contacting the vBulletin team to inform them, he disclosed his findings along with proof-of-concept code in Ruby, Python, and Bash.

This soon picked up by adversaries to share among online communities, discord channels, Reddit, and Twitter. Thereโ€™s even an online forum being hacked right after this publication โ€“ the DEF CON Security group which had its conference held last weekend.

vBulletin came up with a patch for this immediately and suggests updating to avoid your discussion boards being hacked.

LEAVE A REPLY

Please enter your comment!
Please enter your name here