A researcher security whose name remains unknown, posted details of a vBulletin zero-day, that is to say software of internet forums.
And it is precisely the publication of the details that pose some risks. The reason; The vulnerability was posted before it could be repaired, which means it may be caused hacking attacks in forums and spying on user information.
In fact, zero-day allows the hacker to execute shell commands on server. The remarkable thing is that the hacker does not have to account in this forum.
Posting on Full Disclosure. Frequently, security researchers publish details of unspecified security flaws when they have not been repaired after repeated vulnerability reporting. However, at this time, it is unclear whether the anonymous security researcher first reported the vulnerability to the vBulletin team or whether the vBulletin team failed to address the issue in a timely manner, leading it to publish it autonomously. And it is not excluded that this is a conscious slaughter decision aimed at defaming vBulletin.
According to W3Techs, 0,1% of sites manage a vBulletin forum. That means billions of users are affected. The forums are designed for the collection information of users. While billions on-line sites do not store user information, forums can be very easy to save data users. Therefore, 0,1% is really very important when calculating how many users could subscribe to these forums.
While vBulletin is used by many sites, the good news is that zero-day only affected the 5.x version. In practice this means that forums that have an older version are safe if they have made the necessary fixes.
Η Zerodium, is a company that buys web-based software to resell it to law enforcement. Many Dark web forums, such as those that distribute criminal prosecution services, malware, or child abuse images, are often run on vBulletin. According to the company, the anonymous security researcher could have made up to $ 10.000 in return for giving Zerodium zero-day details and not jeopardizing the data alone by posting it.
How useful was this post?
No votes so far! Be the first to rate this post.
The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by
Comment Policy:
SecNews.gr does not immediately post comments. Malicious comments, comments that include ads, or comments with insults are deleted without any warning. We do not endorse the views expressed by our readers.