CVE-2017-17671

Name of the Vulnerable Software and Affected Versions vBulletin versions prior to 5.4

Description The issue allows remote PHP code execution due to an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname. Specifically, while ../ traversal is blocked, .. traversal is not, enabling an attacker to potentially access and manipulate files. For instance, an attacker could send an invalid HTTP request with PHP code and then use an index.php?routestring= request with sufficient ".." instances to reach an Apache HTTP Server log file.

Recommendations For versions prior to 5.4, update to version 5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the routestring parameter in the index.php endpoint to minimize the risk of exploitation.