vBulletin Denial-of-Service Vulnerability via Buddy List Overload

A denial-of-service vulnerability exists in vBulletin version 3.8.7, specifically within the misc.php?do=buddylist endpoint. This issue arises when an authenticated user has a large buddy list, as the system processes the entire list without pagination. The excessive memory consumption can exhaust system resources, leading to a crash of the forum.

Impact

Exploitation of this vulnerability can cause significant query lag or crash the MySQL database server, especially on large forums.

Reproduction

To reproduce this vulnerability, first, add a large number of friends to the buddy list by posting to the profile.php endpoint with the listbits parameter. This can be done by including thousands of user IDs in the listbits[buddy] field. Once the buddy list is sufficiently large, access the misc.php?do=buddylist endpoint. The server will process the entire buddy list in a single, resource-intensive query, which can overwhelm the database and cause it to crash.

Remediation

vBulletin users can apply query pagination or limit the number of buddy entries retrieved per request. Additionally, implementing rate limiting and validation on buddy list modifications can help mitigate this issue.