Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability

From: Egidio Romano <research () karmainsecurity com>
Date: Mon, 07 Oct 2019 21:47:19 +0200
---------------------------------------------------------------------
vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
---------------------------------------------------------------------


[-] Software Link:

https://www.vbulletin.com/


[-] Affected Versions:

Version 5.5.4 and prior versions.


[-] Vulnerability Description:
User input passed through the "data[extension]" and "data[filedata]" parameters to the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used to update users' avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires 
the "Save Avatars as Files" option to be enabled (disabled by default).


[-] Proof of Concept:

http://karmainsecurity.com/pocs/CVE-2019-17132


[-] Solution:
Apply the vendor Security Patch Level 2 or upgrade to version 5.5.5 or later. 


[-] Disclosure Timeline:

[30/09/2019] - Vendor notified
[03/10/2019] - Patch released: https://bit.ly/2OptAzI
[04/10/2019] - CVE number assigned
[07/10/2019] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-17132 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-02


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: