Sucuri: Cybercrime is exploiting a new remote code execution (RCE) zero-day vulnerability to launch waves of cyber attacks. It allows any website visitors to run PHP code and shell commands on the site’s underlying server
Cybercrime is exploiting a new remote code execution (RCE) zero-day vulnerability just discovered to launch waves of cyber attacks. It has been announced by Sucuri cyber security experts. The flaw has been disclosed by an anonymous researcher and it’s extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. This bug is caused by vBulletin’s PHP widgets, which are rendered at runtime and used to create dynamic widgets without having to directly access the hosting server. The researcher found a way to force the site to render arbitrary widgets using the ajax/render/widget_php route. Since the evalCode callback does exactly what you think it does, essentially running eval on the code it is fed, this makes it possible to run arbitrary code on the underlying server.
The cyber security experts: The RCE zero-day is extremely severe and to date there is no official patch to fix it. However, there is a temporarily solution
According to the cyber security experts, cyber criminals are using an interesting payload with the RCE zero-day. It essentially modifies the vulnerable snippet by adding a password validation. This is a way for attackers to maintain access to sites they’ve hacked for themselves, as well as lock out other potential hackers from getting in. From this point, the threat actor can use his newly acquired site to do other malicious things in the future. Furthermore, to date there are no official patches available to fix this issue. A temporarily solution could be navigate from the administration panel to: Admincp >> Options >> General Settings. Then, from here, enable the Disable PHP, Static HTML, and Ad Module rendering setting. However, this may break legitimate uses for this feature.