Security News > 2020 > August > Researcher Publishes Patch Bypass for vBulletin 0-Day
Calling a patch for the flaw a "Fail" and "Inadequate in blocking exploitation," Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms- Bash, Python and Ruby-for the patch in a post published Sunday night.
The key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.
The patch is "Short-sighted" because it faces problems when encountering a user-controlled child template, Etemadieh wrote.
Etemadieh goes on to show how another template that appears in the patch is "a perfect assistant in bypassing the previous CVE-2019-16759 patch" thanks to two key features: the template's ability to load a user-controlled child template, and how it loads the child template by taking a value from a separately named value and placing it into a variable named "WidgetConfig."
No matter, he did provide a quick fix for his bypass of the patch in his post, showing how to disable PHP widgets within vBulletin forums that "May break some functionality but will keep you safe from attacks until a patch is released by vBulletin," he wrote.
News URL
https://threatpost.com/researcher-publishes-bypass-for-patch-for-vbulletin-0-day-flaw/158232/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-24 | CVE-2019-16759 | Code Injection vulnerability in Vbulletin vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. | 9.8 |