vBulletin Security Flaw

Jul 22, 2010

A serious security flaw has been discovered in version 3.8.6 of the popular forum software vBulletin. The flaw enables anyone to easily access the main administrator username and password for a site. And could potentially allow hackers to access data, such as e-mail addresses, and edit the site at will.

We could therefore strongly encourage customers who are running version 3.8.6 to immediately apply the patch provided by vBulletin with the version number 3.8.6 PL1

BBC News reports:

The flaw affects version 3.8.6 of the software, which was released on 13 July.
The simple hack, which the BBC has confirmed, allows even unskilled people to access many websites.

With a few key strokes the person can obtain the administrator’s username and password for the website. This can be used to log in to the site and modify and delete elements at will.