Wow
I can't say anything else. That's probably one of the most asinine vulnerabilities I've ever seen.
Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often …
Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:
if (q == 'database') {
echo $keys_to_the_castle;
}
So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...