Vulnerability Disclosure

Vulnerability in Vbulletin 3.8.6

If you are running Vbulletin 3.8.6 (the latest 3.8.x version), make sure to remove the faq.php as soon as possible. A vulnerability has been found that allows anyone to retrieve the database credentials from there.

The VBSEO team was quick to react and sent the following note to their clients a little while ago:

Hello valued vBSEO customer,
It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.
If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a
precaution.
You can find faq.php in your vBulletin installation directory:
*/vbroot/faq.php

Update: Patch available here.

It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags

Hacked Websites

2 comments

Comments are closed.

WordPress Vulnerability & Patch Roundup November 2022

Cesar Anjos
November 29, 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes…

Read the Post

Adobe Patches Critical Magento Vulnerabilities in Recent Update

Ben Martin
August 13, 2021

Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of…

Read the Post

Unauthenticated Stored Cross Site Scripting in WP Product Review

John Castro
May 14, 2020

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review…

Read the Post

Dissecting the WordPress 5.2.3 Update

Marc-Alexandre Montpas
September 13, 2019

Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to…

Read the Post

SQL Injection Vulnerability in Joomla! 3.7

Marc-Alexandre Montpas
May 17, 2017

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7 – CVE-2017-8917. The vulnerability is easy to exploit and…

Read the Post

WordPress Vulnerability & Patch Roundup July 2023

Cesar Anjos
July 28, 2023

Read the Post

WordPress Vulnerability & Patch Roundup September 2022

Antony Garand
September 29, 2022

Read the Post

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

Antony Garand
May 13, 2019

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and…

Read the Post

WordPress Vulnerability & Patch Roundup December 2022

Rodrigo Escobar
December 28, 2022

Read the Post

Social Warfare Vulnerability Probes

Denis Sinegubko
March 29, 2019

After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options. The vulnerability has…

Read the Post

Related Tags

2 comments

Related Categories

You May Also Like