Still safe, I think?

If I understand this correctly, http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
… it means that we aren’t affected because posting of pictures is disabled on this board:

“vBulletin allows forum users to share media files by uploading them to the
remote server. Some pages allow users to specify a URL to a media file
that a user wants to share which will then be retrieved by vBulletin.
The user-provided links are validated to make sure that users can only access
resources from HTTP/HTTPS protocols and that connections are not allowed in to
the localhost.”

Well, except for in the Marketplace forum. So the danger space is limited, and Marketplace posters have to be paying subscribers.

From Marketplace run rules sticky

Practically speaking, that means that a bad actor has to go to the trouble of registering and paying for a subscription, and the malware being served up would be explicitly tied to their on-board identity. It’s probably easier and more effective to just put malspam on an advertising provider. Not like that ever happens or anything. :rolleyes:

Sounds like it would NOT affect posts in the Marketplace forum, or any other; it’s limited to specially crafted links placed in the the attacker’s profile.

I haven’t read all the details, but it might be a good idea to disable the posting of links in profiles. (Sorry, avatar script users!)

“Malspam on an advertising provider” would generally be targeting us users. This thing would be targeting the board itself.