Regardless of its usage, any software implementation can present serious security errors. A researcher in vulnerability testing that remains anonymous for the time has revealed details about zero-day vulnerability in vBulletin, the most widely used Internet forum creation software nowadays.
The problem is that it appears that the person in charge of publishing this information made this decision unilaterally and arbitrarily, so the cybersecurity community fears that this could lead to a chain of attempts to exploit this flaw in multiple Internet forums, compromising the information of affected users.
After analyzing the published code anonymously, vulnerability testing experts concluded that, if exploited, this zero-day vulnerability would allow a threat actor to execute shell commands on the server where the implementation of vBulletin, in addition it is not necessary for the hacker to have a user account in the target forum.
In the world of cybersecurity, this is known as pre authentication remote code execution vulnerability, a severe security flaw that could completely affect any online platform. Two specialized firms have already analyzed the code and verified that it actually works.
The anonymous expert decided to publish details about this flaw through Full Disclosure, a publicly accessible email list to discuss reporting security flaws, vulnerabilities, among other topics. When a company fails to fix a new vulnerability within a given time frame, it is common for researchers to disclose details about exploiting these flaws, although some requirements must be met first.
However, it has not yet been determined whether the researcher reported the security flaw to vBulletin or whether the company’s vulnerability testing experts failed to correct the issues properly and in the set time; in the end, the fact is that the anonymous expert decided to publish the code.
MH Sub I, LLC, the company in charge of marketing this software, has not commented on this incident. The company’s hermetic stance suggests vulnerability testing experts that this could be a tactic planned by the company, publishing this zero-day vulnerability to create chaos in similar implementations, which would affect millions of users.
Despite being a commercial development, this is the software package for the creation of the most used web forums currently, surpassing other similar implementations such as XenForo, phpMM, Simple Machines Forum, among others.
According to specialists from the International Institute of Cyber Security (IICS) about 0.1% of all websites in the world have a vBulletin forum and, although it seems like a very small figure, this vulnerability could affect millions of users.
The main reason to be concerned is the very nature of online forums. While millions of websites do not have the ability to store information from their users, online forums can be a very good source of data, so the scope of such an incident should not be taken lightly.