Vulnerability in Vbulletin 3.8.6

If you are running Vbulletin 3.8.6 (the latest 3.8.x version), make sure to remove the faq.php as soon as possible. A vulnerability has been found that allows anyone to retrieve the database credentials from there.

The VBSEO team was quick to react and sent the following note to their clients a little while ago:

Hello valued vBSEO customer,

It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.

If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a

You can find faq.php in your vBulletin installation directory:

Update: Patch available here.

It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.


Comments are closed.

You May Also Like