A security flaw in an SEO module of forum software VBulletin has been described as "critical" by security vendor Sucuri after they found hackers could use it to execute malicious PHP code.
VBulletin previously warned its users earlier in the week that it had found a problem with VBSEO, but had been unable to contact the vendor of the SEO module.
Marc-Alexandre Montpas, senior vulnerability researcher at Sucuri, said: "The vulnerable snippet of code executes upon loading vBulletin’s memberinfo_visitormessage template.
"That means that if you allow your visitors (authenticated or not) to leave and see the ‘visitor messages’ section of a user’s profile, you’re at risk."
Hackers could use the problem to insert a malicious payload such as data destruction or malware installation via PHP code, he added, and while analysing the site he had also found a cross-site scripting (XSS) vulnerability which could also be used to inject harmful code.
However he noted the high level of customisation in VBulletin meant that users may or may not be directly affected by the bug.This article is from the CBROnline archive: some formatting and images may not be present.
In a note to customers VBulletin said they could comment out relevant lines of code so they would not be processed, but added it might affect their warranty with the module. Full instructions are available on Sucuri’s blog.