Security researcher publishes details and exploit code for a vBulletin zero-day

A security researcher has published details and proof-of-concept exploit code for a zero-day vulnerability in vBulletin. The zero-day is a bypass for a patch from a previous vBulletin zero-day — namely CVE-2019-16759, disclosed in September 2019. This previous zero-day allowed attackers to exploit a bug in the vBulletin template system to run malicious code and take over forums without needing to authenticate on the victim sites (a type of bug called a pre-auth RCE).

But a researcher has said that CVE-2019-16759 is inadequate in blocking exploitation and that he had found a simple way to bypass the patch to continue exploiting the same vulnerability, proven by him publishing three proofs-of-concept in Bash, Python, and Ruby.


EXPERTS COMMENTS
Ilia Kolochenko, Founder and CEO,  ImmuniWeb
August 12, 2020
The volume of personal data available in web forums is huge.
Combined with the peak of summer holidays and Covid-19 disruption, this vulnerability may have quite disastrous and long-lasting consequences compared to similar ones disclosed in the past. The volume of personal data available in web forums is huge. Attackers will launch large-scale and automated hacking campaigns to later run password re-use and identity theft attacks, and extort money from thos ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article