Patch your vBulletin forum – or get popped

Is this how the Dota 2 message board was pwned?

If you've got a vBulletin forum, get patching – another security flaw has been found in the widely used web message board software.

The patches address a pre-authentication server-side request forgery vulnerability (CVE-2016-6483) in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3. Attackers can exploit the bug to get access to services such as email, the memory cache, and other services.

In this advisory, Dawid Golunski, who found the programming blunder, revealed that an “unauthenticated attacker could perform a port scan of the internal services as well as execute arbitrary system commands on a target vBulletin host with a locally installed Zabbix Agent monitoring service.”

The problem is in how vBulletin lets forum users upload media files: while the software tries to prevent posters from using HTTP redirects, “there is one place in the vBulletin codebase that accepts redirects from the target server specified in a user-provided link.”

The advisory includes proof-of-concept code.

That patch comes as Leakedsource.com reports that the vBulletin-powered Dota 2 forums were hacked earlier this year. ®




Biting the hand that feeds IT © 1998–2018