Two 0-day gaps in the vBulletin 5 forum script: the update is not yet available

Experts from SecuriTeam Secure Disclosure (SSD) detected two vulnerabilities in the popular vBulletin 5 forum script. The first vulnerability allows the attacker to send any file to the server and execute PHP code remotely, however in this case, no identifier (CVE) has yet been assigned.

Researchers describe the problem in this way:

An unauthenticated attacker can trigger the attacker by sending a request to the server. web server. "

The second vulnerability (CVE-2017-17672) concerns deleting files from the server and remote malicious code execution is also possible under certain conditions.

Technical details are available on the SSD blog .

Researchers have tried to contact the developers of "vB" several times. From November 21, they did not receive any response, so they published proofs of the concept.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.