information about an unpatched (0-day) critical vulnerability (CVE-2019-16759) in a proprietary web forum engine , which allows you to execute code on the server by sending a specially crafted POST request. A working exploit is available for the problem. vBulletin is used by many open source projects, including forums based on this engine , , ΠΈ .
The vulnerability exists in the "ajax/render/widget_php" handler, which allows arbitrary shellcode to be passed through the "widgetConfig[code]" parameter (the code to run is just passed, nothing needs to be escaped). The attack does not require authentication in the forum. The issue has been confirmed in all releases of the current vBulletin 5.x branch (in development since 2012), including the most recent release 5.5.4. A hotfix update has not yet been prepared.
Addendum 1: For versions 5.5.2, 5.5.3 and 5.5.4 patches. Owners of older 5.x releases are advised to first update their systems to the latest supported versions to address the vulnerability, but as a workaround calling "eval($code)" in the evalCode function code from the includes/vb5/frontend/controller/bbcode.php file.
Addendum 2: The vulnerability is already active for attacks ΠΈ . Traces of the attack can be observed in the http server logs by the presence of requests for the "ajax/render/widget_php" line.
Addendum 3: traces of the problem being discussed in old attacks, apparently, the vulnerability has been exploited for about three years. Besides, a script that can be used to perform mass automated attacks with the search for vulnerable systems through the Shodan service.
Source: opennet.ru