vBulletin vuln gifts admin credentials to unwashed masses
Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored …
This topic is closed for new posts.
Wow
I can't say anything else. That's probably one of the most asinine vulnerabilities I've ever seen.
Deliberate wide-open back door?
Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:
if (q == 'database') {
echo $keys_to_the_castle;
}
So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...
Oh well
So coding isn't one of their strong points. I'm sure you can find some good things about vBulletin if you look really carefully. I'm still looking though.
Anyone know of some affected websites ?
I wanna try out my new found hacking ability
Just checked one of my faves
The only forum I frequent that uses vBulletin seems to have patched it up... Darn :P
Doesn't work
I tried this on my 3.7.4 vBulletin site and it gives no such data out.
affects v 3.8.6
Yes, the story does say "The flaw in version 3.8.6 of vBulletin". So it's not surprising the version you tested didn't fess up.
v 3.8.6
That's because of this bit of the story "The flaw in version 3.8.6"
This topic is closed for new posts.
