Potential vBulletin Exploit (4.1+ and 5+)

The vBulletin team just posted a pre-disclosure warning on their announcements forum about a possible exploit in versions 4.1+ and 5+ of vBulletin.

They don’t provide many details, but did state that webmasters need to remove the /install and /core/install from their websites. This is the full message:

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.

Going back to our logs, we don’t see any specific scans for /core/install, but we see constant discovery requests for /install. We don’t yet know if that is related to vBulletin or other CMS’s.

Our team will be watching it closely, and any client under our CloudProxy WAF is already protected by it since we only allow access to the “install” directories by white listed IP addresses.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Adeel Sami

    Hello Daniel,

    Thanks for informing about this potential security threat.

    What about instead of removing the /install directory, if we just rename the /install directory with some hard characters (combination of alphabets, numeric and special characters), will this still be vulnerable ?

    Thanks again!

    • Patrick D

      Rename the install directory or remove it and you will be fine.

  • irrational

    renaming your install directory will not protect you in the event that you have an xml sitemap generator, or your renamed folder gets index by google, also note that the “vBulletin 3.X and pre-4.1 would not be affected by these issues.” statement is invalid as 3.x and pre 4.1 are vulnerable as well

  • http://blackhatpwnage.com/ igl00

    this is a big xss bug