vBulletin urgent patch

vBulletin is a popular Internet forum/bulletin-board platform. Their support site has announced a Security Patch Release 3.8.6 PL1

It has come to our attention that 3.8.6 contains a security exploit related to the FAQ.

Just two files are in the PL1 release

includes/version_vbulletin.php
install/vbulletin-language.xml

The urgent security patch, which removes a “database_ingo” phrase, comes only eight days after the release of 3.8.6. Without the patch anyone easily can login to a vBulletin powered forum as the administrator.

vBulletin also offers the following query as a fix:

DELETE FROM ” . TABLE_PREFIX . “phrase WHERE varname = ‘database_ingo’

Note: Either remove the ” . TABLE_PREFIX . ” or replace it with your database prefix as needed.

A query on database_ingo reveals the following phrase in a vulnerable database:

< phrase name = “database_ingo” date = “1271086009” username = “Jelsoft” version = “3.8.5” > config [ ‘Database’ ] [ ‘dbname’ ] } < br /> Database Host : { $vbulletin -> config [ ‘MasterServer’ ] [ ‘servername’ ] } < br /> Database Port : { $vbulletin -> config [ ‘MasterServer’ ] [ ‘port’ ] } < br /> Database Username : { $vbulletin -> config [ ‘MasterServer’ ] [ ‘username’ ] } < br /> Database Password : { $vbulletin -> config [ ‘MasterServer’ ] [ ‘password’ ] } ] ] > config [‘Database’] [‘dbname’])
Database Host: ($ vbulletin -> config [‘master server’] [‘server name’])
Database port: ($ vbulletin -> config [‘master server’] [‘port’])
Database user name: ($ vbulletin -> config [‘master server’] [‘username’])
Database Password: ($ vbulletin -> config [‘master server’] [‘password’])]]> < / phrase>

The problem here should be obvious.

Big oops.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.