vbulletin vulnerability in v. 3.8.6

sorry guys I have no idea where to post this as the section about the board isn't accessible to users. So feel free to move if needed: hope this hasn't been posted yet:

vBulletin vuln gifts admin credentials to unwashed masses
Click to expand...

http://www.theregister.co.uk/2010/07/23/vbulletin_vuln/

Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels.

The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored. The forumware giant issued a patch on Wednesday, but a simple Google search on Friday revealed that scores of users have yet to apply it, meaning their administrative user names and passwords are wide open.

Exploiting the bug is as easy as entering “database” (minus quotes) in the search box of a forum's FAQ page. Vulnerable sites respond by returning everything that's needed to view sensitive user information or make administrative changes.

The patch updates users to version 3.8.6 PL1. Users who want to make sure the fix has worked should check for the string “database_ingo,” which is removed once the new version has correctly been installed.
Click to expand...

ps: couldn't find the current version used here.

Log in or Sign up

vbulletin vulnerability in v. 3.8.6

Logos Registered Member

ronjor Global Moderator

Log in or Sign up

vbulletin vulnerability in v. 3.8.6

Logos Registered Member

ronjor Global Moderator

Useful Searches