ASA-2019-00588 – vBulletin: Remote Code Execution in updateAvatar endpoint


Allele Security Alert

ASA-2019-00588

Identifier(s)

ASA-2019-00588, CVE-2019-17132, KIS-2019-02

Title

Remote Code Execution in updateAvatar endpoint

Vendor(s)

vBulletin Solutions, Inc

Product(s)

vBulletin

Affected version(s)

vBulletin version 5.5.4 before Patch Level 2
vBulletin version 5.5.3 before Patch Level 2
vBulletin version 5.5.2 before Patch Level 2

Fixed version(s)

vBulletin version 5.5.4 Patch Level 2
vBulletin version 5.5.3 Patch Level 2
vBulletin version 5.5.2 Patch Level 2

Proof of concept

Yes

Description

User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

Technical details

Unknown

Credits

Egidio Romano

Reference(s)

vBulletin 5.5.X (5.5.2, 5.5.3, and 5.5.4) Security Patch Level 2
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4423646-vbulletin-5-5-x-5-5-2-5-5-3-and-5-5-4-security-patch-level-2

[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
https://seclists.org/fulldisclosure/2019/Oct/9

[KIS-2019-02] vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
http://karmainsecurity.com/pocs/CVE-2019-17132

CVE-2019-17132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17132

CVE-2019-17132
https://nvd.nist.gov/vuln/detail/CVE-2019-17132

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.