Preface: vBulletin™ is the world leader in forum and community publishing software. Vbulletin messenger make use of AJAX-based chat functionality.The main benefit of developing websites using Ajax is to help web browsers retrieve more data without causing a Web page to refresh.
Vulnerability details: User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint. Vulnerability found that these input are not properly validated before being used to update users’ avatars.
Hacker relies above flaw do exploitation, inject and execute arbitrary PHP code.
Remark: Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).
How attacker detect web site install vBulletin system.
- HTTP headers, including cookies
- Design will insert unique Javascript code into web pages.
- Detect meta tag within the html pages.
Remedy: patches available for the following versions of vBulletin Connect:
- 5.5.4 Patch Level 2
- 5.5.3 Patch Level 2
- 5.5.2 Patch Level 2