We have been recently advised of an indirect, low risk phishing vector that could allow a malicious user to restructure vBulletin URL(s) in a fairly obvious attempt to trick an unsuspecting user into inputting their user account information on a site other than the original destination.

It has been identified this as a low-priority phishing vector in all versions of vBulletin, including vBulletin 3 and 4. At this time we believe that the risk to our customers is indirect and at best minimal . Accordingly, no patch is currently available or required for any and all versions of vBulletin software related to this report.

Generic example of the Phishing Attempt:

• User can post a fake thread inviting others to reset their passwords using the provided link
• User edits the link to append an incorrect “last location” to url therefore redirecting traffic outside the site after the form successfully/correctly submits on the original site.
• For example: http://www.vbulletin.com/forum/login...www.google.com
• Instead of Google.com in this example the user would go to a fake site where they could potentially be tricked into submitting real information.

This vector was reported by:

Robert Gilbert
HALOCK Security Labs