Allele Security Alert
ASA-2019-00588
Identifier(s)
ASA-2019-00588, CVE-2019-17132, KIS-2019-02
Title
Remote Code Execution in updateAvatar endpoint
Vendor(s)
vBulletin Solutions, Inc
Product(s)
vBulletin
Affected version(s)
vBulletin version 5.5.4 before Patch Level 2
vBulletin version 5.5.3 before Patch Level 2
vBulletin version 5.5.2 before Patch Level 2
Fixed version(s)
vBulletin version 5.5.4 Patch Level 2
vBulletin version 5.5.3 Patch Level 2
vBulletin version 5.5.2 Patch Level 2
Proof of concept
Yes
Description
User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).
Technical details
Unknown
Credits
Egidio Romano
Reference(s)
vBulletin 5.5.X (5.5.2, 5.5.3, and 5.5.4) Security Patch Level 2
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2
[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
https://seclists.org/fulldisclosure/2019/Oct/9
[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
http://karmainsecurity.com/pocs/CVE-2019-17132
CVE-2019-17132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17132
CVE-2019-17132
https://nvd.nist.gov/vuln/detail/CVE-2019-17132
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 25, 2019