Quote:A security researcher has published proof-of-concept code to outsmart a patch issued last year for a zero-day vulnerability discovered in vBulletin, a popular software for building online community forums.
 
Calling a patch for the flaw a “fail” and  “inadequate in blocking exploitation,” Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms– Bash, Python and Ruby–for the patch in a post published Sunday night.
 
On September 23, 2019, an unidentified security researcher released exploit code for a flaw that allowed for PHP remote code execution in vBulletin 5.0 through 5.4, Etemadieh wrote.
 
The zero-day, CVE-2019-16759, is called a pre-auth RCE bug, which can allow an attacker to run malicious code and take over forums without needing to authenticate on the sites that are under attack.
 
“This bug (CVE-2019-16759) was labeled as a ‘bugdoor’ because of its simplicity by a popular vulnerability broker and was marked with a CVSS 3.x score of 9.8 giving it a critical rating,” he said in the post.
A patch was issued two days later, Sept. 25, 2019, that “seemed, at the time, to fix the proof of concept exploit provided by the un-named finder,” Etemadieh said.