Critical Zeroday Dropped for vBulletien version 5X [Exploit Code]
An anonymous hacker published all the details along with the exploit code for unpatched, critical Remote Code Execution bug in VBulletin. At this time this bug hasn't been provided with the CVE number, but the severity of bug is Critical because it can be exploited remotely and doesn't need any authorization.
Vbulletin is one of the popular internet forum software, which is running on more than 100,000 websites.
The details and the Proofs-of-Concept was published on Full Disclosure mailing list, and according to this, it explains that hacker found Remote Code Execution vulnerability on the VBulletin software prior to version 5.0.0 to the latest 5.5.4.
According to the exploit code, it seems that the bug resides on widget file of the forum software package that passes configurations request via the URL parameters and then parse them on the server without security checks. This improper validation of the parsing leads the attacker to inject and execute commands on the system remotely.
As hacker has already published the exploit code which is coded on python makes easy for others to exploit the vulnerability. Till yet there is no patch available for the bug, neither we have seen any comments from VBulletin developers.
Vbulletin is one of the popular internet forum software, which is running on more than 100,000 websites.
The details and the Proofs-of-Concept was published on Full Disclosure mailing list, and according to this, it explains that hacker found Remote Code Execution vulnerability on the VBulletin software prior to version 5.0.0 to the latest 5.5.4.
According to the exploit code, it seems that the bug resides on widget file of the forum software package that passes configurations request via the URL parameters and then parse them on the server without security checks. This improper validation of the parsing leads the attacker to inject and execute commands on the system remotely.
As hacker has already published the exploit code which is coded on python makes easy for others to exploit the vulnerability. Till yet there is no patch available for the bug, neither we have seen any comments from VBulletin developers.