Feeds

back to article vBulletin vuln gifts admin credentials to unwashed masses

Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored …

COMMENTS

This topic is closed for new posts.
FAIL

Wow

I can't say anything else. That's probably one of the most asinine vulnerabilities I've ever seen.

4
0
Troll

And this . . .

... is why I don't run Windows.

What?

2
4
WTF?

Deliberate wide-open back door?

Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:

if (q == 'database') {

echo $keys_to_the_castle;

}

So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...

6
0
Silver badge

Oh well

So coding isn't one of their strong points. I'm sure you can find some good things about vBulletin if you look really carefully. I'm still looking though.

4
0

Anyone know of some affected websites ?

I wanna try out my new found hacking ability

2
0

This post has been deleted by a moderator

Flame

php in shit *shock*

Who'd have thunk it?

0
2
Bronze badge
Thumb Up

Just checked one of my faves

The only forum I frequent that uses vBulletin seems to have patched it up... Darn :P

0
0
Anonymous Coward

Doesn't work

I tried this on my 3.7.4 vBulletin site and it gives no such data out.

0
0

affects v 3.8.6

Yes, the story does say "The flaw in version 3.8.6 of vBulletin". So it's not surprising the version you tested didn't fess up.

0
0

v 3.8.6

That's because of this bit of the story "The flaw in version 3.8.6"

0
0
This topic is closed for new posts.