Reports: Actively exploited zero-day found in vBulletin forum software
Thursday, September 26, 2019
As of Sept. 25, vBulletin has not yet issued a fix. However, BleepingComputer reported that security researcher Nick Cano created an easy patch. SC Media has reached out to vBulletin developer MH Sub I, LLC for comment.
“This critical RCE vulnerability is surprisingly simple to exploit, and sadly very few web application firewalls (WAF) will block its exploitation,” added Ilia Kolochenko, founder and CEO of ImmuniWeb. “These days security flaws exploitable in a default configuration and without authentication are very rare in such well-establish web software. We should expect a tornado of automated hacking and web server backdooring campaigns to start now.”
“Website owners running the vulnerable versions should urgently shut down their vBulletin forums completely while the vendor is working on an emergency patch,” Kolochenko continued.
“It was just a matter of time before bad actors fixed their crosshairs on forums – rich storehouses of user information,” said Mike Bittner, associate director of digital security and operations at The Media Trust, in emailed comments. Forum software vendors, Bittner continued, too often collect information on users without site owners’ authorization, while failing to equip their products with the needed security and privacy protections…”
“In an environment where bad actors are always looking out for vulnerabilities they can exploit or well-intentioned products like vBulletin they can abuse, site owners will need to close the security gaps themselves, ideally by carefully vetting their vendors and ensuring those vendors observe digital policies,” Bittner continued. Read Full Article
The Daily Swig: vBulletin zero-day: Critical exploit leaves forum sites open to attack
SC Media: Report: Scotiabank exposed source code and credentials on GitHub repositories