vBulletin remote command execution via the widgetConfig[code] parameter

2019-09-27T00:00:00
ID SAINT:5E9C514C58BB2DB045AFC1DC32680275
Type saint
Reporter SAINT Corporation
Modified 2019-09-27T00:00:00

Description

Added: 09/27/2019

Background

vBulletin is a commercial web bulletin board application written in PHP using MySQL.

Problem

vBulletin allows remote command execution via the **widgetConfig[code]** parameter in an ajax/render/widget_php routestring request.

Resolution

Upgrade vBulletin to version higher than 5.5.4 when available.

References

<https://seclists.org/fulldisclosure/2019/Sep/31.>

Limitations

Exploit works on vBulletin versions 5.0.0 through 5.5.4.