Regardless of its usage, any software implementation can present serious security errors. A researcher in vulnerability testing that remains anonymous for the time has revealed details about zero-day vulnerability in vBulletin, the most widely used Internet forum creation software nowadays.
The problem is that it appears that the person
in charge of publishing this information made this decision unilaterally and
arbitrarily, so the cybersecurity community fears that this could lead to a
chain of attempts to exploit this flaw in multiple Internet forums,
compromising the information of affected users.
After analyzing the published code anonymously,
vulnerability testing experts concluded that, if exploited, this zero-day vulnerability
would allow a threat actor to execute shell commands on the server where the
implementation of vBulletin, in addition it is not necessary for the hacker to
have a user account in the target forum.
In the world of cybersecurity, this is known as
pre authentication remote code execution vulnerability, a severe security flaw
that could completely affect any online platform. Two specialized firms have
already analyzed the code and verified that it actually works.
The anonymous expert decided to publish details
about this flaw through Full Disclosure, a publicly accessible email list to
discuss reporting security flaws, vulnerabilities, among other topics. When a
company fails to fix a new vulnerability within a given time frame, it is
common for researchers to disclose details about exploiting these flaws,
although some requirements must be met first.
However, it has not yet been determined whether
the researcher reported the security flaw to vBulletin or whether the company’s
vulnerability testing experts failed to correct the issues properly and in the
set time; in the end, the fact is that the anonymous expert decided to publish
MH Sub I, LLC, the company in charge of
marketing this software, has not commented on this incident. The company’s
hermetic stance suggests vulnerability testing experts that this could be a
tactic planned by the company, publishing this zero-day vulnerability to create
chaos in similar implementations, which would affect millions of users.
Despite being a commercial development, this is
the software package for the creation of the most used web forums currently,
surpassing other similar implementations such as XenForo, phpMM, Simple
Machines Forum, among others.
According to specialists from the International
Institute of Cyber Security (IICS) about 0.1% of all websites in the world have
a vBulletin forum and, although it seems like a very small figure, this
vulnerability could affect millions of users.
The main reason to be concerned is the very
nature of online forums. While millions of websites do not have the ability to
store information from their users, online forums can be a very good source of
data, so the scope of such an incident should not be taken lightly.