cbcvebase.
CVE-2013-6129
published 2013-10-19

CVE-2013-6129: The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password]…

PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.89%
98.8th percentile
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.

Affected

2 ranges
VendorProductVersion rangeFixed in
vbulletinvbulletin
vbulletinvbulletin

Detection & IOCsextracted from sources · hover to see the quote

path/install/upgrade.php
cookiebbcustomerid=<customerid>
commandajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0&only=false&customerid=<id>&options[skiptemplatemerge]=0&response=yes&htmlsubmit=1&htmldata[username]=<user>&htmldata[password]=<pass>&htmldata[confirmpassword]=<pass>&htmldata[email]=<email>
  • Monitor HTTP POST requests to /install/upgrade.php containing parameters: customerid, htmldata[password], htmldata[confirmpassword], htmldata[email], and step=7 — this is the exact payload pattern used to inject a new admin account.
  • Alert on HTTP GET requests to /install/upgrade.php that result in a response containing 'CUSTNUMBER' — attackers first retrieve the customer number from the script source before launching the admin injection POST.
  • Alert on HTTP responses from /install/upgrade.php containing the string 'Administrator account created' — this string confirms successful exploitation.
  • Detect presence of the Cookie header 'bbcustomerid' in POST requests to /install/upgrade.php — this cookie is set by the exploit to pass the customer ID during the admin injection step.
  • ·The /install/ directory (and upgrade.php within it) should be renamed or deleted on production systems to eliminate the attack surface entirely.
  • ·This vulnerability was actively exploited in the wild in October 2013; affected versions include vBulletin 4.1.x and 5.x.x.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.