Unlicensed VBulletin Installations Vulnerability Allow Unauthorized Directory Listing

January 22nd, 2010

Unlicensed vBulletin Installations Vulnerability Allow Unauthorized Directory Listing

A technique used to get complete listings of files and directories from illegal installations of vBulletin has been revealed on a Romanian hacking forum. This vulnerability is generated by a file included in many cracked versions of the forum platform.

vBulletin (vB) is a commercial-only Internet forum software written in PHP and using MySQL as a database backend. Since its release in 2000, the platform has gained a lot of popularity due to its unique set of features and professional support. Searching for “powered by vBulletin” on Google reveals a staggering 1.6 billion results.

Most of these results correspond to legit installations made by people who paid a license fee in order to use the software. However, there are many installs, which are rogue, because similarly to all popular programs, vBulletin is pirated too.

vB versions with their copyright protection mechanism subverted are called “nullified” and one of the most prominent providers of such releases is a group called DGT. It seems that this team of crackers is in the habit of including a file called validator.php in all of its illegal vBulletin packages.

According to the release notes, this file can be used to verify that files included in the package have not been altered by third parties. It is also noted in the instructions that this file should be removed after installation, but obviously most users never read them.

Left on the server, the validator.php file can be executed via the browser by virtually anyone. This is certainly not desirable as it will output the full path of all files within the installation directory and can lead to sensitive information being exposed.

For example, a section in the vBulletin administration interface allows creating database backups, which get saved in a writable directory. It’s safe to assume that people who do not bother deleting validator.php are not likely to delete these backups either. Knowing the exact names of these files would make it trivial for an attacker to steal them.

Given the nature of this vulnerability, it is very likely that it has been known for quite some time in restricted hacking circles.

This should serve as a lesson for people who choose to run pirated copies of commercial software – you can never be certain that illegally downloaded code is safe. Nevertheless, if are running a “nullified” vBulletin distribution, check if there is a validator.php file in your installation directory and remove it immediately. Also, remove any potentially sensitive files that you are currently hosting inside that folder.

Credit: Softpedia.com News

Share this article with others:

More on CyberInsecure:

Compromised Web Servers Used As Botnet To Brute Force SSH

WordPress Parameter Directory Traversal Vulnerability

Gdiplus.dll Vulnerability In WinZip Fixed In Version 11.2 SR-1

Drive-by Download Attack Hits Multiple Sites Running Vulnerable ColdFusion Application

Apple Safari Domain Extensions Insecure Cookie Access Vulnerability

Posted in Data Theft, Software, Vulnerabilities |

Print This Post

This entry was posted on Friday, January 22nd, 2010 at 1:36 pm and is filed under Data Theft, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.