vBulletin Exploits in the Wild


**Update: CheckPoint disclosed more details here: Check Point Discovers Critical vBulletin 0-Day.

The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9.

The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As a precaution, all passwords were reset; you will have to create a new one before you can access vbulletin.com again and download the patches.

Exploits in the Wild

This vulnerability seems to have been around for a bit. We were able to trace exploit attempts to the end of October, they were targeting a few high profile vBulletin sites protected by our Website Firewall.

The exploit was shared publicly yesterday. It attacks the decodeArguments Ajax API hook. Here is an example of an exploit attempt in the wild:

108.47.xx.yy – – [02/Nov/2015:22:18:21 -0500] “GET /vbforum[/]ajax/api/hook/decodeArguments?

Once decoded, it executes:


This shows the attacker the result of phpinfo indicating that his exploit succeeded. If this test payload works, the attacker will proceed with a full compromise. We are not seeing widespread exploitation attempts yet, as just a few high profile sites were targeted, but we expect it to change soon as it makes its way into the automation engines.

Patch and Protect

If we have not emphasized before, you have to patch your vBulletin site now! Websites behind our WAF are (and always were) protected against this vulnerability due to our virtual hardening technology. If you can not patch your vBulletin site, we recommend looking at a solution to stop these exploits before they reach you.

Serious Vulnerability in VBSEO

The vBulletin team sent an email yesterday to all their clients about a potential security vulnerability in VBSEO. VBSEO is a widely used SEO module for vBulletin that was discontinued last year. This makes the problem worse, as no patches will be released for it.

If you are using VBSEO, you have 3 options:

  1. Completely remove VBSEO from your site – It is not supported anymore
  2. Apply the patch recommended by the vBulletin team
  3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

Our research team is looking at this issue and it seems to be a remote, unauthenticated script (HTML) injection vulnerability. It might lead to a full remote command execution, but we have not confirmed it yet. That’s as serious as it can get, since an attacker can use that to inject malware, spam or take down the site.

Update: We have since confirmed that remote code execution vulnerability does in fact exist, which is why the following recommendations should be followed immediately for all affected VBSEO websites.

Read More