This script is Copyright (C) 2013 Tenable Network Security, Inc.
A bulletin board system hosted on the remote web server has a security
The vBulletin install hosted on the remote host allows access to the
upgrade.php script.Â The vendor recommends that access to this be
disabled as a precaution.
Note that the version may be affected by a security bypass vulnerability
due to an error in the configuration mechanism.Â This could allow a
remote, unauthenticated attacker to create a new user account with
administrator privileges by sending a specially crafted request to the
'install/upgrade.php' or 'core/install/upgrade.php' script.Â This could
then allow the attacker to gain administrative access to the vBulletin
Note that Nessus has not tested for the vulnerability itself, but
instead checked only to see if upgrade.php is accessible without
See also :
Remove the 'install/upgrade.php' or 'core/install/upgrade.php' script
as well as refer to the supplied URL for additional steps from the
vendor. Additionally, conduct a full security review of the host, as it
may have been compromised.
Risk factor :
High / CVSS Base Score : 7.5
Family: CGI abuses
Nessus Plugin ID: 70764 ()
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.