VBulletin Pre-Auth RCE

Anandhu Krishnan
Published on
16 Jun 2021

The vBulletin software package is a PHP-programmed proprietary Internet portal. Remote command execution is possible in vBulletin versions 5.5.4 to 5.6.2 through a constructed subWidgets POST data to /ajax/render/widget tabbedcontainer tab panel. This vulnerability is a bypass for CVE-2019-16759, which enables hackers to upload a built HTTP request including a structured template name, as well as malicious PHP code resulting in remote code execution.

Root cause of this vulnerability

The template rendering function of vBulletin transforms XML templates to PHP code and executes it. This function’s parameters are taken from $_REQUESTS, $_GET, and $_POST. As a result, the template name and associated configuration that derive from such parameters are user-controllable, the outcome of which is RCE vulnerability CVE-2019-16759.

Mitigation / Precaution

If you are using vBulletin 5.5.4 to 5.6.2 Update to the most recent edition of vBulletin.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment