"The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system," Ehle said. "He used this shell to set up the page and dump the database."
VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that's part of the Yahoo User Interface (YUI) library included in vBulletin 4.
This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.
"After the attack, we removed the uploader.swf file as a precaution," Ehle said. "I am not sure if this was the vulnerability that was exploited, but it seems consistent with how the system was compromised. However, it is entirely possible that another, unknown, vector was used."
VBulletin Solutions did not respond to an inquiry seeking information on whether it is aware of a different exploit in the software.
In the meantime, Ehle has some recommendations for other vBulletin site administrators.
"Be strict in your file permissions," he said. "In our system, only the sitemap directories were writable by the web server, which is why only that portion of the site was altered," he said.
The remote Web shell was uploaded in the only writable directories suggesting that tight file and directory permissions make the exploit much harder to execute, he said. "If you need legitimate file uploads and sitemap generation to work, allow writing to only those directories and set your web server to not execute PHP files in them," he said.
Ehle also suggested using an alternative authentication system. The default one in vBulletin still uses MD5-based password hashing, which is inexcusable by today's standards, according to Ehle.
The fact that openSUSE's forums site used an external single sign-in system — except for a few administrative accounts whose passwords have since been reset — prevented the breach from being much worse, he said.
Sign up for Computerworld eNewsletters.