Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

OpenSUSE forums hack raises vBulletin zero-day exploit possibility

Lucian Constantin | Jan. 10, 2014
A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.

"The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system," Ehle said. "He used this shell to set up the page and dump the database."

VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that's part of the Yahoo User Interface (YUI) library included in vBulletin 4.

Yahoo does not plan to fix the vulnerability because it affects only YUI versions 2.5.0 through 2.9.0, which are no longer supported. As a result, vBulletin Solutions advised users to replace the uploader.swf with a dummy file of the same name, which forces vBulletin installations to fall back to an alternative JavaScript-based uploader.

It's not clear if this is the vulnerability that led to the openSUSE forum compromise. According to the Yahoo advisory, the uploader.swf vulnerability is a cross-site scripting (XSS) one that allows the injection of arbitrary JavaScript.

This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.

"After the attack, we removed the uploader.swf file as a precaution," Ehle said. "I am not sure if this was the vulnerability that was exploited, but it seems consistent with how the system was compromised. However, it is entirely possible that another, unknown, vector was used."

VBulletin Solutions did not respond to an inquiry seeking information on whether it is aware of a different exploit in the software.

In the meantime, Ehle has some recommendations for other vBulletin site administrators.

"Be strict in your file permissions," he said. "In our system, only the sitemap directories were writable by the web server, which is why only that portion of the site was altered," he said.

The remote Web shell was uploaded in the only writable directories suggesting that tight file and directory permissions make the exploit much harder to execute, he said. "If you need legitimate file uploads and sitemap generation to work, allow writing to only those directories and set your web server to not execute PHP files in them," he said.

Ehle also suggested using an alternative authentication system. The default one in vBulletin still uses MD5-based password hashing, which is inexcusable by today's standards, according to Ehle.

The fact that openSUSE's forums site used an external single sign-in system — except for a few administrative accounts whose passwords have since been reset — prevented the breach from being much worse, he said.

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.