vBulletin is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server.
vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring. The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.
- At this time there is no solution or workaround for this vulnerability.
- WordPress Plugin Advanced Custom Fields 'acf_abspath' Parameter Remote File Include (3.5.1)
- WordPress Plugin Social Discussions Remote File Include and Information Disclosure Vulnerabilities (6.1.1)
- WordPress Plugin WP Fastest Cache Local File Inclusion (0.8.5.9)
- WordPress Plugin Wechat Broadcast Local/Remote File Inclusion (1.2.0)
- WordPress Plugin BackWPup 'wp_export_generate.php' Local and Remote File Include Vulnerabilities (2.1.4)