Breach, Data Security, Vulnerability Management

Researcher spots a SSRF bug in vBulletin

A high severity preauthorization server side request forgery (SSRF) vulnerability in vBulletin forum software spotted by Legal Hacker researcher Dawid Golunski allows an unauthenticated attacker to perform a port scan of internal services as well as execute arbitrary system commands via a locally installed Zabbix Agent monitoring service, according to an Aug. 5 security advisory.

The vulnerability, which affects versions 5.2.2, 4.2.3, and 3.8.9, has now been patched. 

“Additionally, depending on the temporary directory location configured within the forum, attackers could potentially view the service responses as the download function stores responses within temporary files which could be viewed if the temporary directory is exposed on the web server,” the advisory said.

Users are advised to update to the latest version.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.