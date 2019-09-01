Stories
Slash Boxes
Comments

SoylentNews is people

High-Severity Vulnerability in VBulletin is Being Actively Exploited

posted by martyb on Friday September 27, @11:21AM   Printer-friendly
from the NEVER-trust-your-inputs dept.
Security

Fnord666 writes:

Attackers are mass-exploiting an anonymously disclosed vulnerability that makes it possible to take control of servers running vBulletin, one of the Internet's most popular applications for website comments. Sites running the app should take comments offline until administrators install a patch that vBulletin developers released late Wednesday morning.

The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability is so severe and easy to exploit that some critics have described it as a back door.

"Essentially, any attack exploits a super simple command injection," Ryan Seguin, a research engineer at Tenable, told Ars. "An attacker sends the payload, vBulletin then runs the command, and it responds back to the attacker with whatever they asked for. If an attacker issues a shell command as part of the injection, vBulletin will run Linux commands on its host with whatever user permissions vBulletins' system-level user account has access to." Seguin has more in this technical analysis of the vulnerability.

Some people have too much time on their hands.

Source: ArsTechnica

Original Submission


«  US Senators Green-Light Recruitment Of Crack Infosec Teams, Both Public And Private
High-Severity Vulnerability in VBulletin is Being Actively Exploited | Log In/Create an Account | Top | 1 comments | Search Discussion
Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)