After releasing a patch for a critical zero-day remote code execution vulnerability late last month, vBulletin has recently published a new security patch update that addresses 3 more high-severity vulnerabilities in its forum software.

If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take complete control over targeted web servers and steal sensitive user information.

Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.

Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271.

vBulletin RCE and SQLi Flaws

The RCE flaw resides in the way vBulletin forum handles user requests to update avatars for their profiles, an icon or graphical representation of the user, allowing a remote attacker to inject and execute arbitrary PHP code on the target server through unsanitized parameters.

However, it should be noted that this vulnerability is not exploitable in the default installation of the vBulletin forum, rather exploitation is possible when “Save Avatars as Files” option is enabled by the website administrator.

Romano has also released a public proof-of-concept exploit for this RCE vulnerability.

The other two vulnerabilities are read in-band and time-based SQL injection issues that reside in two separate endpoints and could allow administrators with restricted privileges to read sensitive data from the database, which they otherwise may not be allowed to access.

Since these two SQL injection flaws can not be exploited by any registered user and require special permissions, vBulletin forum administrators and users need not to panic.

Security Patches Released

Romano responsibly reported all the vulnerabilities to the vBulletin project maintainers just last week on September 30, and the team acknowledged his findings and released the following security patch updates that address the reported flaws.

  • vBulletin 5.5.4 Patch Level 2
  • vBulletin 5.5.3 Patch Level 2
  • vBulletin 5.5.2 Patch Level 2

Administrators are highly recommended to apply the security patch before hackers started exploiting the vulnerabilities to target their forum users—just like someone did last week to steal login information of nearly 245,000 Comodo Forums users after the company failed to apply available patches on time.