vBulletin 3.8.6 security flaw

[danielf]

Quote:

A serious flaw in software widely used to power online discussion sites could allow hackers to harvest reams of personal data, the BBC has learned.

The flaw in a specific version of the vBulletin software allows anyone to easily access the main administrator username and password for a site.

This would also allow hackers to access data, such as e-mail addresses, and edit the site at will.

The owner of the program - Internet Brands - released a fix on 21 July.

However, at time of writing, many sites remain vulnerable.

http://www.bbc.co.uk/news/technology-10714192

Good thing this site uses Vbulleting 3.8.5

[beeman]

Quote:

Originally Posted by danielf

Good thing this site uses Vbulleting 3.8.5

You'll proberlly find 3.8.5 has the same issue 3.8.6 is just a bug fix update for 3.8.5. So unless the fix caused this issue (possiable but rarly happens) then this site is just as vrunuble.

[MovedGoalPosts]

The previous versions of vbulletin are not affected by the security issue. It is only vb 3.8.6 that is vulnerable. Thus this board is not compromised. We are in no rush to upgrade to 3.8.6, with 3.8.5 running adequately for our needs.

vb 3.8.6 was primarily a bug release, not a security release. Thus it wasn't dealinig with vulnerabilities. However 3.8.6, only a few days old, did have a serious security problem with the FAQ system. The patch which has now been released fixes that. As a patch, the forum display numbering would not indicate if the upgrade had been added to the forum software it would still display 3.8.6.

[MetaWraith]

Glad to know that our Forum Admins are on the ball, and that we're not at risk.
WTG Team.

The issue was actually a debugging phrase that was accidently left in the 3.8.6 release. It could have been used (via the FAQ system) to get the mysql user and password. Which in theory someone could use to connect to the database (not here tho, as we dont allow external access).