Zero Day in Less Than 20 Lines of Python Code

An unpatched zero day with the potential to affect tens of millions of forum users has been published by an anonymous security researcher.

The flaw, which was found in the internet forum software vBulletin, was published on the Full Disclosure mailing list. It shows how a HTTP POST request can be used by a hacker to remotely execute commands on a vBulletin server, even if the hacker doesn't have an account on the targeted forum. And it can all be achieved in less than 20 lines of Python code.

vBulletin is run on .1% of all internet sites, which may not seem like much. However, there are over 1.5 billion websites, so .1% accounts for around 1.5 million.

The fact that forums are involved, many of which have registered members who have handed over personal data, means that millions - tens of millions, even - of users could be at risk, across some prominent websites using vBulletin that include NASA, the Denver Broncos, Sony Pictures, Fitday, Zynga and the Houston Texans.

The circumstances surrounding the zero day being published are unclear (vBulletin and the anonymous researcher have not spoken) and it's not known if the researcher reported the flaw to vBulletin, or if the vBulletin were alerted and didn't fix the issue in a time frame to the researcher's liking.

The zero-day works against vBulletin versions 5.0.0 to 5.5.4 and, at the time of writing, a fix is yet to be found. Forums using earlier versions are okay, so long as they have updated their security patches.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.