A new zero-day vulnerability, CVE-2019-16759, was just unearthed in vBulletin, a proprietary Internet forum software package. The vulnerability was discovered by an anonymous security researcher who published the details about the exploit online, thus exposing vBulletin users to plenty of risks. As the CVE-2019-16759 vulnerability is currently unpatched, security researchers are now concerned that the publication of details about the exploit could harm internet forums due to cyberattacks.
What is the vBulletin zero-day all about?
The analysis of the published code reveals that the flaw could allow an attacker to execute shell commands on the server running the vBulletin installation. It also should be specified that the potential attacker doesn’t need a registered account on the forum to be targeted. This is also known as a pre-authentication remote code execution attack, which is considered one of the worst flaws against web-based platforms.
Tenable researchers were able to analyze and confirm that this exploit works on default configurations of vBulletin. Based on the public proof of concept code, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands.
These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host, the researchers said.
At the time of publication, the CVE-2019-16759 zero-day vulnerability doesn’t have an official mitigation or fix. Security researchers are expecting vBulletin to respond with an advisory or patch soon.
Who is at risk?
Even though a commercial product, vBulletin is currently the most popular web forum software package. Its market share appears to be larger than open-source solutions such as phpBB, XenForo, Simple Machines Forum, etc.
According to W3Techs, around 0.1% of all internet sites run a vBulletin forum. The percentage may look insignificant, but it actually impacts millions, if not billions, of internet users, ZDNet points out.