VBulletin Administrator Account Injection Vulnerability

Release date: 2013-10-04
Updated on:

Affected Systems:
VBulletin 5.x
VBulletin 4.x
Description:
--------------------------------------------------------------------------------
VBulletin is a powerful and flexible forum program suite that can be customized based on your needs.

VBulletin 4.x. x and 5.x. x. x allow attackers to create another administrator account using the vBulletin configuration mechanism to have full control over the vBulletin application and then control the supported sites. To exploit this vulnerability, attackers need an accurate URL and user ID of vBulletin upgrade. php.

<* Source: vBulletin

Link: http://www.networkworld.com/news/2013/101013-hackers-exploit-vbulletin-vulnerability-to-274728.html? Source = nww_rss & utm_source = twitterfeed & utm_medium = twitter
Http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

VBulletin
---------
The vendor has not disclosed the root cause and impact of the vulnerability. However, we recommend that you delete the/install and/core/install directories in vBulleting 4.x and 5.x respectively. For users who cannot delete these directories, we recommend that you block requests that access the configuration through WAF or Web server or redirect to upgrade. php.

Http://www.vbulletin.com/