An nameless hacker these days publicly revealed details and proof-of-thought exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the broadly used online forum application.
Just one of the reasons why the vulnerability really should be seen as a severe problem is not just mainly because it is remotely exploitable, but also doesn’t need authentication.
Composed in PHP, vBulletin is a extensively made use of proprietary Internet discussion board software package package that powers more than 100,000 internet sites on the Web, including Fortune 500 and Alexa Best 1 million organizations websites and community forums.
In accordance to particulars published on the Comprehensive Disclosure mailing list, the hacker claims to have located a distant code execution vulnerability that appears to impact vBulletin versions 5.. till the most recent 5.5.4.
The vulnerability resides in the way an internal widget file of the discussion board software package bundle accepts configurations by using the URL parameters and then parse them on the server with no right basic safety checks, enabling attackers to inject instructions and remotely execute code on the process.
As a evidence-of-concept, the hacker has also produced a python-primarily based exploit that could make it less difficult for any one to exploit the zero-working day in the wild.
So far, the Typical Vulnerabilities and Exposures (CVE) selection has not been assigned to the vulnerability.
The Hacker News has also informed vBulletin venture maintainers about the vulnerability disclosure and assume them to patch the security situation in advance of hackers started out exploiting them to target vBulletin installations.