[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: vBulletin - Critical Information Disclosure
Confirmed on some 3.8.6 version.
Thanks for spreading this :)
From: advisories@xxxxxxxxxxxx [mailto:advisories@xxxxxxxxxxxx]
Sent: jeudi 22 juillet 2010 20:17
Subject: vBulletin - Critical Information Disclosure
Versions Affected: 3.8.6 (Only!)
Content publishing, search, security, and more-vBulletin has it all. Whether
it's available features, support, or ease-of-use, vBulletin offers the most
for your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.
-:: The Advisory ::-
vBulletin is prone to information disclosure of the entire database
credentials used in config.php via the faq.php file.
By searching for "database" on a vulnerable installation of vBulletin an
attacker is shown the information mentioned above.
-:: Solution ::-
A patch is available from http://members.vbulletin.com
Alternatively, search for "database_ingo" in the Phrase Manager within the
Admin Control Panel, and delete or edit all critical details.
- vBulletin Security Notice & Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July
After searching the Internet a bit I discovered that I wasn't the only one
which knew about this bug. Please note that I give full credit to the
rightful finder / owner of this exploit.
All of the best,