The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts.

Back in August, users of versions in the 4.1+ and 5+ series were advised to delete the /install/ or /core/install/ directories (depending on version) as a workaround against the bug, but vBulletin didn't advise of the impact of the problem.

However, according to this article at Help Net Security, the vulnerability allows admin account injection using vulnerable PHP code.

A user whose site was compromised in September posted an Apache log that identified the attack source (below).

The vulnerable upgrade.php resource is attacked to inject the unwanted administrative user account.

The author of the article, Barry Shteiman of Imperva, notes that the exploit code and technique were found on hacker forums, meaning that the exploit is in the wild.

If the vBulletin user can't, for some reason, delete the /install/ or /core/install/ directories, Shteiman advises that they implement redirects to block incoming requests trying to hit the upgrade.php file. ®

Related stories

• Password reset invoked after vBulletin.com forum software site defaced (3 November 2015)

  https://www.theregister.com/2015/11/03/vbulletin_forum_software_hacked_defaced/

• WordPress two-factor login plugin bug, er, bypasses 2-factor login (18 February 2014)

  https://www.theregister.com/2014/02/18/wordpress_2fa_bug_can_bypass_authentication/

• iFrame attack injects code via PNGs (5 February 2014)

  https://www.theregister.com/2014/02/05/iframe_attack_injects_code_via_pngs/

• OpenSUSE forums hacked in ANOTHER vBulletin attack (8 January 2014)

  https://www.theregister.com/2014/01/08/opensuse_forums_hacked_emails_exposed/

• vBulletin.com's password database hack gives forum admins the jitters (18 November 2013)

  https://www.theregister.com/2013/11/18/vbulletin_hacked/

• PHP.net resets passwords after malware-flinging HACK FLAP (25 October 2013)

  https://www.theregister.com/2013/10/25/phpnet_compromise_analysis/

• D-Link hole-prober finds 'backdoor' in Chinese wireless routers (22 October 2013)

  https://www.theregister.com/2013/10/22/tenda_router_backdoor/

• Ubuntu puts forums back online, reveals autopsy of a brag hacker (2 August 2013)

  https://www.theregister.com/2013/08/02/ubuntu_forum_hack_postmortem/

• Ubuntuforums.org cracker promises no password release (23 July 2013)

  https://www.theregister.com/2013/07/23/ubuntuforums_cracker_promises_no_password_release/

• vBulletin abandons bid for injunction against ex-devs (22 May 2011)

  https://www.theregister.com/2011/05/22/vbulletin_abandons_motion_for_injuction_against_former_devs/

• vBulletin sues ex-devs over 'from scratch' competitor (5 October 2010)

  https://www.theregister.com/2010/10/05/vbulletin_sues_ex_employees/

• vBulletin vuln gifts admin credentials to unwashed masses (23 July 2010)

  https://www.theregister.com/2010/07/23/vbulletin_vuln/

• vBulletin denies busting downloads in paid-up protester ban (30 October 2009)

  https://www.theregister.com/2009/10/30/vbulletin_defends_forum_bans/

• Forum king vBulletin muzzles paid-up protesters (28 October 2009)

  https://www.theregister.com/2009/10/28/vbulletin_controversy/