vBulletin Releases Patch Update for New RCE and SQLi Vulnerabilities
If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take complete control over targeted web servers and steal sensitive user information.
Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271.
vBulletin RCE and SQLi Flaws
The RCE flaw resides in the way vBulletin forum handles user requests to update avatars for their profiles, an icon or graphical representation of the user, allowing a remote attacker to inject and execute arbitrary PHP code on the target server through unsanitized parameters.
However, it should be noted that this vulnerability is not exploitable in the default installation of the vBulletin forum, rather exploitation is possible when "Save Avatars as Files" option is enabled by the website administrator.
Romano has also released a public proof-of-concept exploit for this RCE vulnerability.
The other two vulnerabilities are read in-band and time-based SQL injection issues that reside in two separate endpoints and could allow administrators with restricted privileges to read sensitive data from the database, which they otherwise may not be allowed to access.
Security Patches Released
Romano responsibly reported all the vulnerabilities to the vBulletin project maintainers just last week on September 30, and the team acknowledged his findings and released the following security patch updates that address the reported flaws.
- vBulletin 5.5.4 Patch Level 2
- vBulletin 5.5.3 Patch Level 2
- vBulletin 5.5.2 Patch Level 2
Administrators are highly recommended to apply the security patch before hackers started exploiting the vulnerabilities to target their forum users—just like someone did last week to steal login information of nearly 245,000 Comodo Forums users after the company failed to apply available patches on time
Twitter has fessed up
to a ‘blunder’ that, in a way, compromised users’ privacy. As disclosed
through a recent post, Twitter mistakenly exploited users’ 2FA phone
numbers for ad targeting.
They not only misused phone numbers but also exploited the email
addresses uploaded by the users for authentication. As stated by
Twitter,
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Twitter has fessed up
to a ‘blunder’ that, in a way, compromised users’ privacy. As disclosed
through a recent post, Twitter mistakenly exploited users’ 2FA phone
numbers for ad targeting.
They not only misused phone numbers but also exploited the email
addresses uploaded by the users for authentication. As stated by
Twitter,
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Twitter has fessed up
to a ‘blunder’ that, in a way, compromised users’ privacy. As disclosed
through a recent post, Twitter mistakenly exploited users’ 2FA phone
numbers for ad targeting.
They not only misused phone numbers but also exploited the email
addresses uploaded by the users for authentication. As stated by
Twitter,
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Twitter has fessed up
to a ‘blunder’ that, in a way, compromised users’ privacy. As disclosed
through a recent post, Twitter mistakenly exploited users’ 2FA phone
numbers for ad targeting.
They not only misused phone numbers but also exploited the email
addresses uploaded by the users for authentication. As stated by
Twitter,
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Attribution link: https://latesthackingnews.com/2019/10/09/twitter-fessed-up-to-utilizing-users-2fa-phone-numbers-for-ad-targeting/
Comments
Post a Comment