Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Patch your vBulletin forum asap to avoid being hacked

vBulletin forums need to be patched asap to avoid attackers to scan servers hosting the CMS and remotely execute arbitrary code. Hackers breached the Steam’s Dota 2 forums and have leaked a couple of million credentials (the archive contains MD5-hashed passwords), but what is happening to forums based on the popular vBulletin CMS? vBulletin forum administrators need […]

vbulletin

vBulletin forums need to be patched asap to avoid attackers to scan servers hosting the CMS and remotely execute arbitrary code.

Hackers breached the Steam’s Dota 2 forums and have leaked a couple of million credentials (the archive contains MD5-hashed passwords), but what is happening to forums based on the popular vBulletin CMS?

vBulletin forum administrators need to patch their platforms, the security updates fix multiple server-side request forgery bugs in vBulletin 3.8.9, 3.8.10 beta, 4.2.3, 4.2.4 beta, and 5.2.3.

A simple Google search reports that at least 18 million sites are based on the vBulletin CMS.

vbulletin

The flaws could be exploited by hackers to get access to services such as email and cache management.

The security expert Dawid Golunski confirmed the business impact of the flaw in a security advisory.

“The vulnerability can expose internal services running on the server/within the local network.
If not patched, unauthenticated attackers or automated scanners searching for vulnerable servers could send malicious data to internal services.” wrote Golunski.
“Depending on services in use, the impact could range from sensitive information disclosure, sending spam, DoS/data loss to code execution as demonstrated by  the PoC exploit in this advisory.”

The researchers pointed a portion of  the vBulletin codebase that accepts redirects from the target server specified in a user-provided link allowing HTTP redirects.

“HTTP redirects are also prohibited however there is one place in the vBulletin codebase that accepts redirects from the target server specified in a  user-provided link. The code is used to upload media files within a logged-in user’s profile and  can normally be accessed under a path similar to:

http://forum/vBulletin522/member/1-mike/media

By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost.

This introduces a Server Side Request Forgery (SSRF) vulnerability.”

The security advisory also includes proof-of-concept code.

Back to the data breach of Dota 2 forums, it was based on a simple SQL injection attack. Leakedsource.com, that first reported the incident, confirmed that it has already converted 80% of the more than 1.9 million passwords.

If you are running a vBulletin forum, patch it now.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – forums, hacking)