#VU37761 Path traversal in vBulletin - CVE-2017-17671

Cybersecurity Help s.r.o.

Published: 2017-12-14 | Updated: 2020-08-08

Vulnerability identifier: #VU37761

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-17671

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
vBulletin
Web applications / Forum & blogging software

Vendor: vBulletin

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but .. traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

vBulletin: 5.0.0

External links
https://blogs.securiteam.com/index.php/archives/3569

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Path traversal in vBulletin