vBulletin remote command execution via the widgetConfig[code] parameter

Added: 09/27/2019

Background

vBulletin is a commercial web bulletin board application written in PHP using MySQL.

Problem

vBulletin allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Resolution

Upgrade vBulletin to version higher than 5.5.4 when available.

References

https://seclists.org/fulldisclosure/2019/Sep/31.

Limitations

Exploit works on vBulletin versions 5.0.0 through 5.5.4.
Back to exploit index