vBulletin 3.8.6 database credential disclosure

2010-07-23 / 2010-07-24
Credit: MaXe
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Versions Affected: 3.8.6 (Only!) Info: Content publishing, search, security, and more�vBulletin has it all. Whether it�s available features, support, or ease-of-use, vBulletin offers the most for your money. Learn more about what makes vBulletin the choice for people who are serious about creating thriving online communities. External Links: http://www.vbulletin.com/ -:: The Advisory ::- vBulletin is prone to information disclosure of the entire database credentials used in config.php via the faq.php file. By searching for "database" on a vulnerable installation of vBulletin an attacker is shown the information mentioned above. -:: Solution ::- A patch is available from http://members.vbulletin.com Alternatively, search for "database_ingo" in the Phrase Manager within the Admin Control Panel, and delete or edit all critical details. Disclosure Information: - vBulletin Security Notice & Patch: 22nd July 2010 - Vulnerability Researched and Disclosed: 22nd July Note: After searching the Internet a bit I discovered that I wasn't the only one which knew about this bug. Please note that I give full credit to the rightful finder / owner of this exploit. References: http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-3.8.6-PL1 All of the best, MaXe

References:

http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html
http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-3.8.6-PL1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top