vBulletin flaw put online forum customer details at risk

Summary:A flaw would expose subscribers' details through the FAQ sections of online forums running on a specific version of the vBulletin software

A security hole has been found in the vBulletin forum software that, if exploited, would give hackers access to personal information on compromised websites.

The flaw, which is specific to the FAQ section of version 3.8.6 of the vBulletin software, could give potential infiltrators access to subscribers' details. vBulletin admin logons are not exposed, according to a post on Twitter from Kier Darby, former vBulletin developer and product manager.

Internet Brands, which acquired vBulletin in 2007, discovered the flaw on 21 July and issued a patch on the same day. Darby warned the unpatched administrators that if "phpMyAdmin is installed with db authentication mode... the leaked MySQL credentials are calamitous", in response to another Twitter user.

The patch (3.8.6 PL1) issued on Wednesday, was made available via the vBulletin forums and advises users of 3.8.6 to upgrade immediately. The company also says that users can verify that the patch has been installed by searching for the phrase database_ingo, which is removed when the patch has been successfully applied.

Users that are yet to upgrade to 3.8.6 will not need to apply the patch manually if they upgrade, as it has already been applied to the download package.

Originally developed by Jelsoft Enterprises, the vBulletin platform is commercially focused software, written in PHP and drawing data from MySQL databases. It is mostly used as the basis for internet forums.

Trend Micro senior security advisor Rik Ferguson told ZDNet UK on Friday that "vulnerabilities continue to be an issue that plague businesses and consumers alike". He added that more than 2000 vulnerabilities rated as 'critical' were reported in the last year alone.

Topics: Security


With a psychology degree under his belt, Ben set off on a four-year sojourn as a professional online poker player, but as the draw of the gambling life began to wane his attentions turned to more wholesome employment.With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.