vBulletin flaw put online forum customer details at risk

A flaw would expose subscribers' details through the FAQ sections of online forums running on a specific version of the vBulletin software
Written by Ben Woods, Contributor

A security hole has been found in the vBulletin forum software that, if exploited, would give hackers access to personal information on compromised websites.

The flaw, which is specific to the FAQ section of version 3.8.6 of the vBulletin software, could give potential infiltrators access to subscribers' details. vBulletin admin logons are not exposed, according to a post on Twitter from Kier Darby, former vBulletin developer and product manager.

Internet Brands, which acquired vBulletin in 2007, discovered the flaw on 21 July and issued a patch on the same day. Darby warned the unpatched administrators that if "phpMyAdmin is installed with db authentication mode... the leaked MySQL credentials are calamitous", in response to another Twitter user.

The patch (3.8.6 PL1) issued on Wednesday, was made available via the vBulletin forums and advises users of 3.8.6 to upgrade immediately. The company also says that users can verify that the patch has been installed by searching for the phrase database_ingo, which is removed when the patch has been successfully applied.

Users that are yet to upgrade to 3.8.6 will not need to apply the patch manually if they upgrade, as it has already been applied to the download package.

Originally developed by Jelsoft Enterprises, the vBulletin platform is commercially focused software, written in PHP and drawing data from MySQL databases. It is mostly used as the basis for internet forums.

Trend Micro senior security advisor Rik Ferguson told ZDNet UK on Friday that "vulnerabilities continue to be an issue that plague businesses and consumers alike". He added that more than 2000 vulnerabilities rated as 'critical' were reported in the last year alone.

Editorial standards