vBulletin vuln gifts admin credentials to unwashed masses

Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored …

This topic is closed for new posts.

Posted Friday 23rd July 2010 22:10 GMT

David Eddleman

Wow

I can't say anything else. That's probably one of the most asinine vulnerabilities I've ever seen.

Posted Friday 23rd July 2010 22:10 GMT

Anonymous Coward

And this . . .

... is why I don't run Windows.

What?

Posted Friday 23rd July 2010 22:11 GMT

Jeremy 2

Deliberate wide-open back door?

Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:

if (q == 'database') {

echo $keys_to_the_castle;

}

So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...

Posted Saturday 24th July 2010 08:12 GMT

Ole Juul

Oh well

So coding isn't one of their strong points. I'm sure you can find some good things about vBulletin if you look really carefully. I'm still looking though.

Posted Saturday 24th July 2010 11:32 GMT

iRadiate