cbcvebase.
CVE-2014-9463
published 2017-09-15

CVE-2014-9463: functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to…

PriorityP268high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.79%
96.3th percentile
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://server/visitormessage.php?do=message
path/visitormessage.php
filenamefunctions_vbseo_hook.php
filenameshell.php
command$stylevar[${${file_put_contents("shell.php","hacked")}}]
  • Exploit is delivered via a malicious HTTP Referer header containing PHP variable-variable injection payload targeting the $stylevar array; monitor Referer headers for patterns matching $stylevar[${${...}}]
  • POST requests to visitormessage.php?do=message with a Referer header containing file_put_contents() calls should be treated as active exploitation attempts
  • Attacker drops a webshell (shell.php, downloader.php, s.php) in the web root; monitor for unexpected PHP file creation in the vBulletin document root following POST requests to visitormessage.php
  • ·Exploitation requires the attacker to be a registered, authenticated user on the vBulletin instance; unauthenticated exploitation is not possible
  • ·The exploit was tested specifically against vBulletin 4.2.2 with the VBSEO 4.x module; other versions may behave differently

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.