Cable Forum

Cable Forum (https://www.cableforum.uk/board/index.php)
-   Internet Discussion (https://www.cableforum.uk/board/forumdisplay.php?f=25)
-   -   vBulletin 3.8.6 security flaw (https://www.cableforum.uk/board/showthread.php?t=33667591)

danielf 22-07-2010 22:51
vBulletin 3.8.6 security flaw
 
Quote:
A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data, the BBC has learned.

The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.

This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

The owner of the program - Internet Brands - released a fix on 21 July.

However, at time of writing, many sites remain vulnerable.
http://www.bbc.co.uk/news/technology-10714192

Good thing this site uses Vbulleting 3.8.5 :)

beeman 23-07-2010 09:00
Re: Vbulletin 3.8.6 security flaw
 
Quote:
Originally Posted by danielf (Post 35060982)

Good thing this site uses Vbulleting 3.8.5 :)
You'll proberlly find 3.8.5 has the same issue ;) 3.8.6 is just a bug fix update for 3.8.5. So unless the fix caused this issue (possiable but rarly happens) then this site is just as vrunuble.

MovedGoalPosts 23-07-2010 10:24
Re: Vbulletin 3.8.6 security flaw
 
The previous versions of vbulletin are not affected by the security issue. It is only vb 3.8.6 that is vulnerable. Thus this board is not compromised. We are in no rush to upgrade to 3.8.6, with 3.8.5 running adequately for our needs.

vb 3.8.6 was primarily a bug release, not a security release. Thus it wasn't dealinig with vulnerabilities. However 3.8.6, only a few days old, did have a serious security problem with the FAQ system. The patch which has now been released fixes that. As a patch, the forum display numbering would not indicate if the upgrade had been added to the forum software it would still display 3.8.6.

MetaWraith 23-07-2010 11:59
Re: Vbulletin 3.8.6 security flaw
 
Glad to know that our Forum Admins are on the ball, and that we're not at risk.
WTG Team.

Paul 24-07-2010 17:03
Re: vBulletin 3.8.6 security flaw
 
The issue was actually a debugging phrase that was accidently left in the 3.8.6 release. It could have been used (via the FAQ system) to get the mysql user and password. Which in theory someone could use to connect to the database (not here tho, as we dont allow external access).


All times are GMT +1. The time now is 16:13.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum