Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dangerous VBulletin Exploit In the Wild

Posted by Unknown on Wednesday October 9, 2013 @01:27AM from the going-back-to-usenet dept.

An anonymous reader writes "vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker's methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site."

3 of 43 comments (clear)

Min score:

Reason:

Sort:

Short form: by Minupla · 2013-10-09 01:37 · Score: 5, Informative

For the TL;DR crowd:
* Delete /core/install and /install directory in all 4.x and 5.x vBulletin installs or block access to same. Do it now.
Min

--
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
CMS? by Anonymous Coward · 2013-10-09 01:40 · Score: 3, Informative

Did vBulletin change or something. I thought vBulletin was forum software, this states CMS. Or is CMS the preferred buzzword du jour?
Either way, this will mean more spam on lots of forums and more identity theft for those that use the same password for forums and bank accounts. Yawn.
1. Re:CMS? by trogdor8667 · 2013-10-09 09:05 · Score: 3, Informative
  
  vBulletin added a CMS and blog component in a previous major rewrite.