Patch your vBulletin forum – or get popped

Is this how the Dota 2 message board was pwned?

6 Reg comments Got Tips?

If you've got a vBulletin forum, get patching – another security flaw has been found in the widely used web message board software.

The patches address a pre-authentication server-side request forgery vulnerability (CVE-2016-6483) in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3. Attackers can exploit the bug to get access to services such as email, the memory cache, and other services.

In this advisory, Dawid Golunski, who found the programming blunder, revealed that an “unauthenticated attacker could perform a port scan of the internal services as well as execute arbitrary system commands on a target vBulletin host with a locally installed Zabbix Agent monitoring service.”

The problem is in how vBulletin lets forum users upload media files: while the software tries to prevent posters from using HTTP redirects, “there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link.”

The advisory includes proof-of-concept code.

That patch comes as reports that the vBulletin-powered Dota 2 forums were hacked earlier this year. ®


Keep Reading

NSO Group: Facebook tried to license our spyware to snoop on its own addicts – the same spyware it's suing us over

Antisocial network sought surveillance tech to boost its creepy Onavo Protect app, it is claimed

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let's find out

DEF CON Start the clock on those patches – they'll be coming any day, week, month soon

Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck's lawyers

Legal discovery team could turn up some very interesting, and possibly embarrassing details

Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

Software developers aren't nation states, antisocial giant points out

US govt: Julian Assange tried to recruit hacker to steal hush-hush dirt and we should know – the hacker was an informant

WikiLeaker accused of tapping up LulzSec's Sabu as a source

Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

Eleven flaws cleaned up including one that may be exploited to sling malware downloads

Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

Mandrake handlers could snoop on whatever victim did with their phone

Biting the hand that feeds IT © 1998–2020