back to article vBulletin vuln gifts admin credentials to unwashed masses

Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often …

COMMENTS

This topic is closed for new posts.
  1. David Eddleman
    FAIL

    Wow

    I can't say anything else. That's probably one of the most asinine vulnerabilities I've ever seen.

  2. Anonymous Coward
    Troll

    And this . . .

    ... is why I don't run Windows.

    What?

  3. Jeremy 2
    WTF?

    Deliberate wide-open back door?

    Surely this can't be any kind of bug, more an intentional back door? It's pretty hard to 'accidentally' code:

    if (q == 'database') {

    echo $keys_to_the_castle;

    }

    So what's the likelihood that it was a back door added during development that was never removed when it went public? Perhaps some smart arse thought "No need to code review the FAQ bit, that's not important"...

  4. Ole Juul

    Oh well

    So coding isn't one of their strong points. I'm sure you can find some good things about vBulletin if you look really carefully. I'm still looking though.

  5. iRadiate

    Anyone know of some affected websites ?

    I wanna try out my new found hacking ability

  6. zonky
    Flame

    php in shit *shock*

    Who'd have thunk it?

  7. Tim Bates
    Thumb Up

    Just checked one of my faves

    The only forum I frequent that uses vBulletin seems to have patched it up... Darn :P

  8. Anonymous Coward
    Anonymous Coward

    Doesn't work

    I tried this on my 3.7.4 vBulletin site and it gives no such data out.

    1. Dave 27

      affects v 3.8.6

      Yes, the story does say "The flaw in version 3.8.6 of vBulletin". So it's not surprising the version you tested didn't fess up.

    2. Dave 27

      v 3.8.6

      That's because of this bit of the story "The flaw in version 3.8.6"

This topic is closed for new posts.