Sponsored Links

vBulletin - Just Type 'database'

Bob2002

ULTIMATE Member
vBulletin vuln gifts admin credentials to unwashed masses

Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels.

The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored. The forumware giant issued a patch on Wednesday, but a simple Google search on Friday revealed that scores of users have yet to apply it, meaning their administrative user names and passwords are wide open.

Exploiting the bug is as easy as entering “database” (minus quotes) in the search box of a forum's FAQ page. Vulnerable sites respond by returning everything that's needed to view sensitive user information or make administrative changes.

The patch updates users to version 3.8.6 PL1. Users who want to make sure the fix has worked should check for the string “database_ingo,” which is removed once the new version has correctly been installed.

http://www.theregister.co.uk/2010/07/23/vbulletin_vuln/

Most forums I've come across don't seem to be vulnerable however I did find one that displayed admin user/pass - must be the world's simplest exploit. :hrmph:
 
heh, not the sorta thing l would be spreading.. surprised this made it out of 0-day.. that and the fact you posted it here and didnt email to mark
 
I am guessing Bob already saw my update that the flaw had been patched. In any case the exploit is already widely known and so simple to do that even a child with limited knowledge could get it working. I have tested it on some vB forums that I know and informed their owners to patch it.
 
Last edited:
Sponsored Links
heh, not the sorta thing l would be spreading.. surprised this made it out of 0-day.. that and the fact you posted it here and didnt email to mark

It was reported on the BBC News website, which is where I saw it (along with a bazillion other people). I also noted Mark had applied the update already. :hrmph:
 
heh then its just me thats bothered by the posting of such things.. did a google search last night and since it was posted in public lve seen allot more hacked forums....
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6026)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules