vBulletin routestring Local File Inclusion

  • vBulletin is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server.

    vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring. The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.
  • At this time there is no solution or workaround for this vulnerability.