vBulletin divulges MySQL login
Source: The H Security
A critical security vulnerability in the widely used forum software vBulletin allows attackers to easily gain access to any MySQL server running a forum. As a number of blogs report, if the term "database" is entered into the FAQ module's search box, the module hands over confidential data on a silver platter.
The flaw gives attackers power over the forum's entire database, including access to personal forum user data. The vendor says that version 3.8.6 of the software is vulnerable. A patch has already been made available. In a brief Google search, The H's associates at heise Security found countless vulnerable sites that were open to attack.
(crve)