The vBulletin software package is a PHP-programmed proprietary Internet portal. Remote command execution is possible in vBulletin versions 5.5.4 to 5.6.2 through a constructed subWidgets POST data to /ajax/render/widget tabbedcontainer tab panel. This vulnerability is a bypass for CVE-2019-16759, which enables hackers to upload a built HTTP request including a structured template name, as well as malicious PHP code resulting in remote code execution.
Root cause of this vulnerability
The template rendering function of vBulletin transforms XML templates to PHP code and executes it. This function’s parameters are taken from $_REQUESTS, $_GET, and $_POST. As a result, the template name and associated configuration that derive from such parameters are user-controllable, the outcome of which is RCE vulnerability CVE-2019-16759.
Mitigation / Precaution
If you are using vBulletin 5.5.4 to 5.6.2 Update to the most recent edition of vBulletin.
