14 DAY TRIAL // A technique used to get complete listings of files and directories from illegal installations of vBulletin has been revealed on a Romanian hacking forum. This vulnerability is generated by a file included in many cracked versions of the forum platform.
vBulletin (vB) is a commercial-only Internet forum software written in PHP and using MySQL as a database backend. Since its release in 2000, the platform has gained a lot of popularity due to its unique set of features and professional support. Searching for "powered by vBulletin" on Google reveals a staggering 1.6 billion results.
Most of these results correspond to legit installations made by people who paid a license fee in order to use the software. However, there are many installs, which are rogue, because similarly to all popular programs, vBulletin is pirated too.
vB versions with their copyright protection mechanism subverted are called "nullified" and one of the most prominent providers of such releases is a group called DGT. It seems that this team of crackers is in the habit of including a file called validator.php in all of its illegal vBulletin packages.
According to the release notes, this file can be used to verify that files included in the package have not been altered by third parties. It is also noted in the instructions that this file should be removed after installation, but obviously most users never read them.
Left on the server, the validator.php file can be executed via the browser by virtually anyone. This is certainly not desirable as it will output the full path of all files within the installation directory and can lead to sensitive information being exposed.
For example, a section in the vBulletin administration interface allows creating database backups, which get saved in a writable directory. It's safe to assume that people who do not bother deleting validator.php are not likely to delete these backups either. Knowing the exact names of these files would make it trivial for an attacker to steal them.
In fact, this is exactly the sort of scenario that led to the public disclosure of this trick on the Romanian Security Team (RST) Center website. "Me and kwe were out smoking two hours ago […] We were wondering how tinkode [another hacker] was managing to get his hands on the databases of all those warez forums," a user called paxnWo writes in the beginning of a post describing the technique. [Translated from Romanian.]
Meanwhile, TinKode, who is known for having hacked into NASA and U.S. Army websites, published an advisory on his own blog, taking credit for the find. However, given the nature of this vulnerability, it is very likely that it has been known for quite some time in restricted hacking circles.
This should serve as a lesson for people who choose to run pirated copies of commercial software - you can never be certain that illegally downloaded code is safe. Nevertheless, if are running a "nullified" vBulletin distribution, check if there is a validator.php file in your installation directory and remove it immediately. Also, remove any potentially sensitive files that you are currently hosting inside that folder.
Update: The same vulnerability has been confirmed in DGT-nullified versions of Invision Power Board (IP.Board), another popular forum software. The cracked IP.Board releases also contain the validator.php file, which lies at the core of this directory listing weakness. An exploit which misuses this file to automatically find and download potentially sensitive files from a host is already available in the wild.
However, it is worth noting that DGT, as a prominent cracking group, has released nullified versions of many commercial Web applications. Therefore, it is safe to assume that the impact of this weakness might go well beyond rogue vBulletin and IP.Board installations.
Edit: Corrected the link to paxnWo's post.