Friday, August 12, 2016

Fix For vBulletin Available

There has been released an update to vBulletin software that is used on many internet forums. The update fixes a SSRF (Server Side Request Forgery) vulnerability that allows unauthenticated remote attackers to access internal services (such as mail servers, memcached, couchDB, zabbix etc.) running on the server hosting vBulletin as well as services on other servers on the local network that are accessible from the target. A public method for exploiting is available so it's strongly advised that vBulletin using forums are updated with the latest version.

Affected versions:
vBulletin 5.2.2 and earlier
vBulletin 4.2.3 and earlier
vBulletin 3.8.9 and earlier

More information:
- http://www.securityfocus.com/archive/1/539149
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta

No comments: