Notes

In this blog post, we take a closer look at a pre-auth Remote Code Execution (RCE) vulnerability affecting vBulletin versions 5.x and 6.x that was likely patched a year ago. The bug stems from the misuse of PHP’s Reflection API within vBulletin’s API controller logic, combined with certain changes introduced in PHP 8.1 that allow protected (and even private) methods to be invoked via e.g. the ReflectionMethod::invoke() method. We’ll walk through how this API design flaw enables attackers to directly call internal methods that were never meant to be exposed — and why relying on method visibility for security boundaries can be a dangerous assumption. Dissecting an N-Day vBulletin RCE