Full Disclosure mailing list archives
[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
From: Egidio Romano <research () karmainsecurity com>
Date: Mon, 07 Oct 2019 21:47:19 +0200
--------------------------------------------------------------------- vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability --------------------------------------------------------------------- [-] Software Link: https://www.vbulletin.com/ [-] Affected Versions: Version 5.5.4 and prior versions. [-] Vulnerability Description:User input passed through the "data[extension]" and "data[filedata]" parameters to the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used to update users' avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires
the "Save Avatars as Files" option to be enabled (disabled by default). [-] Proof of Concept: http://karmainsecurity.com/pocs/CVE-2019-17132 [-] Solution:Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or later.
[-] Disclosure Timeline: [30/09/2019] - Vendor notified [03/10/2019] - Patch released: https://bit.ly/2OptAzI [04/10/2019] - CVE number assigned [07/10/2019] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-17132 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-02 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability Egidio Romano (Oct 07)