VBulletin Pre-Auth RCE

CVE-2020-17496 CVE-2019-16759 CWE-74 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OWASP API,2019-API7 OWASP,2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9 WASC

The vBulletin software package is a PHP-programmed proprietary Internet portal. Remote command execution is possible in vBulletin versions 5.5.4 to 5.6.2 through a constructed subWidgets POST data to /ajax/render/widget tabbedcontainer tab panel. This vulnerability is a bypass for CVE-2019-16759, which enables hackers to upload a built HTTP request including a structured template name, as well as malicious PHP code resulting in remote code execution.

Root cause of this vulnerability

The template rendering function of vBulletin transforms XML templates to PHP code and executes it. This function’s parameters are taken from $_REQUESTS, $_GET, and $_POST. As a result, the template name and associated configuration that derive from such parameters are user-controllable, the outcome of which is RCE vulnerability CVE-2019-16759.

Mitigation / Precaution

If you are using vBulletin 5.5.4 to 5.6.2 Update to the most recent edition of vBulletin.

Latest Articles