Server-Side request forgery in vBulletin

Published: 2016-08-10 | Updated: 2016-10-15
Severity Critical
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2016-6483
CWE ID CWE-918
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software vBulletin Subscribe
Vendor vBulletin

Security Advisory

This security advisory describes one critical risk vulnerability.

This vulnerability was used to hack Mail.ru and Funcom forums.

1) Server-Side Request Forgery

Severity: Critical

CVSSv3: 9.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6483

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Description

The vulnerability allows a remote attacker to perform server-side forgery attacks and compromise vulnerable system.

The vulnerability exists due to incorrect link handling in file upload functionality. A remote attacker can use a malicious server that returns a 301 HTTP redirect response to local resource to connect to services within internal network or on localhost.

Successful exploitation of this vulnerability may allow an attacker to perform SSRF attack to retrieve information for further attacks against vulnerable system by performing unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

To resolve this issue install security patch from vendor's website:

5.2.2 Patch Level 1
5.2.1 Patch Level 1
5.2.0 Patch Level 3

4.2.3 Patch Level 2
4.2.2 Patch Level 6

3.8.9 Patch Level 1
3.8.8 Patch Level 2
3.8.7 Patch Level 6

Vulnerable software versions

vBulletin: 3.8.7, 3.8.7 Patch Level 1, 3.8.7 Patch Level 2, 3.8.7 Patch Level 3, 3.8.7 Patch Level 4, 3.8.7 Patch Level 5, 3.8.8, 3.8.8 Patch Level 1, 3.8.9, 4.2.2, 4.2.2 Patch Level 1, 4.2.2 Patch Level 2, 4.2.2 Patch Level 3, 4.2.2 Patch Level 4, 4.2.2 Patch Level 5, 4.2.3, 4.2.3 Patch Level 1, 5.2.0, 5.2.0 Patch Level 1, 5.2.0 Patch Level 2, 5.2.1, 5.2.2

CPE External links

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-secu...
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-secu...
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-secu...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



ImmuniWeb® AI Platform for Application Security Testing