An exploit found in the World’s fourth most popular content management system (CMS) “vBulletin,” which allows a hacker to create an account on the website with administrative privileges, right now over 100,000 websites powered by this software.
In August, vBulletin users using version 4.x and 5.x of its software were informed that they needed to remove two directories ( “/install” and “/core/install”) on sites using the system or they would leave themselves open to an unspecified attack.
And according to a data security company “Imperva” users didn’t listen up the warning and in result over 35,000 websites running vBulletin have been hacked using this vulnerability.
We took a look to the vBulletin website and found Major companies like EA, Zynga, Sony and Steam are listed in their customer section.
Imperva writes in its blog:
Although vBulletin has not disclosed the root cause of the vulnerability or its impact, the Imperva Application Defense Center (ADC) has determined the attacker’s methods.
How an attacker able to create an account with administrator privileges:
In the initial analysis, Imperva gone through the warning—vBulletin released in August, a victimized user shared his server’s Apache log over there— providing some visibility into the attacker’s procedure:
In the image above, you can see how the attacker using GET request for the “/install/upgrade.php,” which was already announced as a vulnerable resource, 5 times attacker’s request replied to him 404 NOT FOUND, but the 6th request replied 200 which means attacker successfully find existing resource. The attacker issues a “POST” request to the same resource with the attack payload. Since the Apache logger does not log the parameters of POST requests, the details of the attack are not yet revealed.
After getting some more technical details and an exploit code, Imperva tested the attack and successfully added an administrator account on a website installed vBulletin software.
For a successful attack on the website, an attacker needs, vulnerable vBulletin upgrade.php exact URL and the customer ID. In the above image you have seen, how attacker successfully found the upgrade.php exact URL, now, to find the customer ID, hackers had created an additional auxiliary PHP script, which scans a site for the vulnerable path, exactly as shown above image, and extracts the customer ID from the vulnerable upgrade.php page, as it’s embedded within the page’s source code.
Using vBulletin software? Secure your website from hackers—read the recommendations below (VIA- Imperva):
- Remove the /install and /core/install directories in versions 4.x and 5.x respectively.
- If you are not able to remove, so use block access or redirect requests that hit upgrade.php through via either a WAF, or via web server access configuration.
