Hello and welcome to the Wednesday, June 4, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and in this episode brought you by the Sands.edu Credit Certificate Program in Cybersecurity Leadership.

I'm recording in Jacksonville, Florida.

Well, in Diaries today, I looked a little bit more at the V-bulletin vulnerability that I mentioned earlier this week and exploits that we observed around

this particular vulnerability. V-bulletin again, it's a bulletin board software.

It's quite popular.

It's a commercial offering, not an open source offering in that sense.

It's written in a PHP.

And I think this vulnerability really has two sort of interesting aspects that I think haunt a lot of sort of vulnerabilities and also vulnerability mitigation.

Now, this vulnerability was first really explained by this particular blog post from Agideo Romano. I think I mentioned the wrong name in the diary

originally, but Egideo here is the one that really sort of dove into this patch that the

bulletin had released about a year ago and then explained how this particular vulnerability can get exploited.

That's sort of really where it gets interesting.

So the Bulletin implements an API as so many web applications.

And this API does expose specific classes.

Now, the problem here is that in PHP version 8.1, how you access particular methods in

these classes change somewhat.

So methods that you considered being protected, private, not accessible to basically any call from outside the class have now

been exposed in PHP version 8.1. Now there's more details to it. It basically uses these

reflections which are used to interrogate classes and figure out how to call a particular

method. And that's really sort of where the change happened. It's, in my opinion, not a well-documented

change. I looked at the 8.1 change flock. Didn't really see it there. But then in the actual

...