CVE-2013-6129
published 2013-10-19CVE-2013-6129: The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password]…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.89%
98.8th percentile
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0&only=false&customerid=<id>&options[skiptemplatemerge]=0&response=yes&htmlsubmit=1&htmldata[username]=<user>&htmldata[password]=<pass>&htmldata[confirmpassword]=<pass>&htmldata[email]=<email>↗
- →Monitor HTTP POST requests to /install/upgrade.php containing parameters: customerid, htmldata[password], htmldata[confirmpassword], htmldata[email], and step=7 — this is the exact payload pattern used to inject a new admin account. ↗
- →Alert on HTTP GET requests to /install/upgrade.php that result in a response containing 'CUSTNUMBER' — attackers first retrieve the customer number from the script source before launching the admin injection POST. ↗
- →Alert on HTTP responses from /install/upgrade.php containing the string 'Administrator account created' — this string confirms successful exploitation. ↗
- →Detect presence of the Cookie header 'bbcustomerid' in POST requests to /install/upgrade.php — this cookie is set by the exploit to pass the customer ID during the admin injection step. ↗
- ·The /install/ directory (and upgrade.php within it) should be renamed or deleted on production systems to eliminate the attack surface entirely. ↗
- ·This vulnerability was actively exploited in the wild in October 2013; affected versions include vBulletin 4.1.x and 5.x.x. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rj2v-jjj7-r36g: The install/upgrade
ghsa_unreviewed·2022-05-17
CVE-2013-6129 [HIGH] GHSA-rj2v-jjj7-r36g: The install/upgrade
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.
VulnCheck
vBulletin 4.1 and 5 install/upgrade.php Scripts Remote Security Bypass
vulncheck·2013·CVSS 7.5
CVE-2013-6129 [HIGH] vBulletin 4.1 and 5 install/upgrade.php Scripts Remote Security Bypass
vBulletin 4.1 and 5 install/upgrade.php Scripts Remote Security Bypass
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.
Affected: vBulletin vBulletin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2013-6129; https://www.cve.org/CVERecord?id=CVE-2013-6129
No detection rules found.
Exploit-DB
vBulletin 4.1.x - '/install/upgrade.php' Security Bypass
exploitdb·2013-10-13
CVE-2013-6129 vBulletin 4.1.x - '/install/upgrade.php' Security Bypass
vBulletin 4.1.x - '/install/upgrade.php' Security Bypass
---
source: https://www.securityfocus.com/bid/62909/info
vBulletin is prone to a security-bypass vulnerability.
Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions.
#!/usr/bin/perl
#
# Title: vBulletin remote admin injection exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 17 September 2013
# Published: 24 October 2013
# MorXploit Research
# http://www.MorXploit.com
#
# Vendor: vBulletin (www.vbulletin.com)
# Version: 4.1.x / 5.x.x
# Vulnerability: Remote admin injection
# Severity: High
# Status: Confirmed
#
# Exploit code description:
# Perl code to inject a new admin account through upgrade.php script.
#
# Vulnerability details:
# upgrade
Metasploit
vBulletin Administrator Account Creation
metasploit
vBulletin Administrator Account Creation
vBulletin Administrator Account Creation
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0.
Qualys
Hackers Are Having a Field Day with Stolen Credentials
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
## 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendatio
Qualys
Hackers Are Having a Field Day with Stolen Credentials | Qualys
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials | Qualys
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
### 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendati
http://www.net-security.org/secworld.php?id=15743http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5http://www.net-security.org/secworld.php?id=15743http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
2013-10-19
Published
Exploited in the wild