CVE-2019-17132
published 2019-10-04CVE-2019-17132: vBulletin through 5.5.4 mishandles custom avatars.
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.78%
95.6th percentile
vBulletin through 5.5.4 mishandles custom avatars.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vbulletin | vbulletin | <= 5.5.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on POST parameters containing data[extension]=php submitted to the updateAvatar API route, indicating an attempt to change an uploaded avatar's file extension to PHP for webshell placement. ↗
- →Monitor for PHP files appearing under the vBulletin 'core/' avatar storage directory (e.g., core/customavatars/*.php), which should only contain image files. ↗
- →Detect HTTP requests containing a 'CMD:' header with a base64-encoded value — this is the webshell command-execution mechanism used post-exploitation. ↗
- →Look for the webshell output delimiter '____' in HTTP responses from the vBulletin core directory, indicating active webshell interaction. ↗
- ·The exploit only succeeds if the vBulletin 'Save Avatars as Files' option is enabled; if avatars are stored in the database (served via image.php), the PHP file cannot be written to disk and the exploit fails. ↗
- ·The attacker must have valid credentials to an existing vBulletin account; the exploit authenticates via the login endpoint before performing the avatar manipulation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Oct/9https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2http://packetstormsecurity.com/files/154759/vBulletin-5.5.4-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Oct/9https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2
2019-10-04
Published