RE: vBulletin - Critical Information Disclosure

External Links 22nd July Control Panel online communities vBulletin Original Message information disclosure Versions Affected vulnerable patch searching Security Notice

Confirmed on some 3.8.6 version.
Thanks for spreading this :)

-----Original Message-----
From: advisories@intern0t.net [mailto:advisories@intern0t.net] 
Sent: jeudi 22 juillet 2010 20:17
To: bugtraq@securityfocus.com
Subject: vBulletin - Critical Information Disclosure

Versions Affected: 3.8.6 (Only!)

Info:
Content publishing, search, security, and more-vBulletin has it all. Whether
it's available features, support, or ease-of-use, vBulletin offers the most
for your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.

External Links:
http://www.vbulletin.com/


-:: The Advisory ::-
vBulletin is prone to information disclosure of the entire database
credentials used in config.php via the faq.php file.

By searching for "database" on a vulnerable installation of vBulletin an
attacker is shown the information mentioned above.

-:: Solution ::-
A patch is available from http://members.vbulletin.com

Alternatively, search for "database_ingo" in the Phrase Manager within the
Admin Control Panel, and delete or edit all critical details.


Disclosure Information:
- vBulletin Security Notice & Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July

Note:
After searching the Internet a bit I discovered that I wasn't the only one
which knew about this bug. Please note that I give full credit to the
rightful finder / owner of this exploit.

References:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6
-critical-information-disclosure.html
http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-
3.8.6-PL1



All of the best,
MaXe