A recently uncovered vulnerability allows an attacker to hijack an administrator account, thereafter wreaking havoc on unsuspecting discussion forum members through phisihing and disruption schemes. The vulnerability, described by Incapsula in September, essentially allows unrestricted external access to the ‘/install/’ directory. A hacker can create a secondary administrative account to gain full control.
The news was followed by several attack reports from vBulletin users, and Incapsula noted that the threat was soon mitigated and that newly gathered data was aggregated in the form of a security patch. vBulletin also offered a mitigation technique in a blog post encouraging customers to delete the /install, /core/install in vBulleting 4.x and 5.x.
Nonetheless, hackers are still developing new exploits for the loophole. Imperva, after gaining access to some concrete technical details on the vulnerability, began scanning hacker forums in search of an exploit code and soon found a PHP code that implements the attack.
“Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker’s methods,” said Barry Shteiman, director of security strategy at Imperva, in a column.
In order to exploit the vulnerability and take over the accounts, the attacker needs to know both the vulnerable vBulletin upgrade.php’s exact URL as well as the customer ID. Both can be uncovered using an additional auxiliary PHP script, Imperva found. The script can scan a site for the vulnerable path and extracts the customer ID from within the page’s source code.
“The result of the attack was exactly what the exploit package described,” Shteiman said. “A new admin user was created (eviladmin) that is under the control of the attacker. The site has been successfully compromised.”
CMS platforms are popular targets for hackers because they support vast swaths of the online publishing world. One compromise or successful exploit can give hackers access to thousands of accounts and sites – an attractive, cost-effective proposition. There have been recent attacks against Joomla, Wordpress and Drupal, among others, demonstrating the critical importance of implementing patches when they come along.