vBulletin flaw put online forum customer details at risk

vBulletin flaw put online forum customer details at risk

Summary: A flaw would expose subscribers' details through the FAQ sections of online forums running on a specific version of the vBulletin software

TOPICS: Security

A security hole has been found in the vBulletin forum software that, if exploited, would give hackers access to personal information on compromised websites.

The flaw, which is specific to the FAQ section of version 3.8.6 of the vBulletin software, could give potential infiltrators access to subscribers' details. vBulletin admin logons are not exposed, according to a post on Twitter from Kier Darby, former vBulletin developer and product manager.

Internet Brands, which acquired vBulletin in 2007, discovered the flaw on 21 July and issued a patch on the same day. Darby warned the unpatched administrators that if "phpMyAdmin is installed with db authentication mode... the leaked MySQL credentials are calamitous", in response to another Twitter user.

Read this

Business-savvy cybercriminals work to improve their image

Jon Ramsey, chief technology officer at SecureWorks, discusses the shadowy world of malware business models

Read more

The patch (3.8.6 PL1) issued on Wednesday, was made available via the vBulletin forums and advises users of 3.8.6 to upgrade immediately. The company also says that users can verify that the patch has been installed by searching for the phrase database_ingo, which is removed when the patch has been successfully applied.

Users that are yet to upgrade to 3.8.6 will not need to apply the patch manually if they upgrade, as it has already been applied to the download package.

Originally developed by Jelsoft Enterprises, the vBulletin platform is commercially focused software, written in PHP and drawing data from MySQL databases. It is mostly used as the basis for internet forums.

Trend Micro senior security advisor Rik Ferguson told ZDNet UK on Friday that "vulnerabilities continue to be an issue that plague businesses and consumers alike". He added that more than 2000 vulnerabilities rated as 'critical' were reported in the last year alone.

Topic: Security

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Please note that this article incorrectly cites my tweets - having phpMyAdmin in database authentication mode while vBulletin leaks the MySQL credentials would be extremely bad and would allow a malicious user complete access to the vBulletin database.

    I have emailed a correction to the editor.

    These are the tweets in question:

    My original warning:

    Explanation that it is not vBulletin admin details that are leaked:

    Statement that the leaked MySQL credentials will not be usable against most servers:

    A note that servers with phpMyAdmin in database-authentication mode would be exploitable:
  • Internet Brands, which acquired vBulletin in 2007, was informed of the flaw on 21 July and issued a patch on 21 July several hours later.
  • I feel I should say, I enjoy reading this website. power strip, screwdriver, booster cables, battery clip Could let me know how I can go about subscribing with it?
  • @Kier & Rolla - Thanks for the comments, we'll make the amendments as necessary.
    Ben Woods