New security vulnerability in vBulletin 3.0.7-3.5.3

[Trunkmonkey]

There has been an unconfirmed report on the BUGTRAQ mailing list that a Russian hacker has found a critical vulnerability in vBulletin that gives shell access to the Web server. Here is the mailing list trail where he claims to have found the vulnerability and will not be reporting it to the vendor. Please excuse his English.

Date: 4 Feb 2006 23:56:22 -0000
From: h.z@inbox.ru
To: bugtraq@securityfocus.com
Subject: Vulnerabilities in vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).

Hi everyone!
the January 23 me was done work on revealing the criticality in
forum vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).
-------------------------------------------------------------------------
The Criticality were find nearly similar nature. Later I have tested them on
rest version and they have in the same way operated. After two three days were
written two exploits under these two forums. Eksploit allows to get web - shell
on server where is installed forum. So much for that I can say on this cause.
Letter this has wrote therefor that developers of these programme products knew
that in them there are mistakes for attention.
Thank you.

H.Z
UIN: 3413665
h.z@inbox.ru

Paul on the list responds to him:

Date: Mon, 6 Feb 2006 19:23:46 -0500 (EST)
From: Paul Laudanski <zx@castlecops.com>
To: h.z@inbox.ru
Cc: bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).

On 4 Feb 2006 h.z@inbox.ru wrote:

> Hi everyone!
> the January 23 me was done work on revealing the criticality in
> forum vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).

Is this poc published and have the vendors been notified?

--
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com

And the hacker responds directly to Paul; Paul forwards the response to the BUGTRAQ mailing list:

Date: Mon, 6 Feb 2006 19:47:20 -0500 (EST)
From: Paul Laudanski <zx@castlecops.com>
To: h.z@inbox.ru
Cc: bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).

On 4 Feb 2006 h.z@inbox.ru wrote:

> No, I nobody has not reported on this criticality. Let all read
> message on securityfocus.com. poc will possible be on sale only
> narrow circle of the people from russian hacker

So your exploit is not being reported to the vendors and you are going
to sell this?

> The People cash, for safe code if him all time to point to errors that
> they will not learn nor that! And additionally me not advantageously
> that they have quickly heard problem

All about the cash? Where is your ethics?

--
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com

[Trunkmonkey]

And Scott from vBulletin just responded on BUGTRAQ:

Date: 7 Feb 2006 02:47:36 -0000
From: scott@vbulletin.com
To: bugtraq@securityfocus.com
Subject: Re: Vulnerabilities in vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).

While we take all security reports seriously we have investigated this report and have been unable to find any sort of exploit suggested by the author.

External security audits are performed on a regular basis and we are committed to the fast response and release of patches for any vulnerability, credit is also given where due for any discoveries.

After contacting the author for more information the response we received was that a fee would have to be paid for more information. As a company we refuse to be coerced into paying a ransom given that the author has not been able to demonstrate that the vulnerability exists, much less a willingness to work with us to ensure a secure product for end users.

So it looks like you guys are already on top of if. Feel free to close this thread if need be.

[Zachery]

We are already aware and have made our responses in other threads.