1. General information

vBuletin, developed and released by vBulletin Solutions, is the most popular forum software on the Internet. On July 22, 2010, a critical vulnerability was found in this software. The flaw allows hacker to attack and take full control of the targeted forum database.

2. Technical details
 
vBulletin supports FAQ feature, which allows forum members to search for their information of interest in forum. The vulnerability is found in this feature.
 

Specifically, searching in FAQ with key words related to word "database" (such as "da",'ba", "se"...), the result will be all the forum database's information including IP address, service port, accounts and passwords. It is because vBulletin stores information related to database and FAQ on the same database table.

Exploiting this vulnerability, hackers are able to take control of forum's database for malicious purposes such as deleting or modifying the information in the forum's database. This vulnerability only exists in vBulletin version 3.8.6.

3. Solutions

Rating this vulnerability as critical, Bkis recommends individuals and organizations using vBulletin 3.8.6 immediately patch the flaw by following one of the two methods below:

Method 1:

1. Open file vbulletin-language.xml (in folder \upload\install), find and delete the following text:

<phrasename="database_ingo" date="1271086009"username="Jelsoft" version="3.8.5">

<![CDATA[

DatabaseName: {$vbulletin-> config['Database']['dbname']}

DatabaseHost: {$vbulletin->config['MasterServer']['servername']}

DatabasePort: {$vbulletin->config['MasterServer']['port']}

DatabaseUsername: {$vbulletin->config['MasterServer']['username']}

DatabasePassword: {$vbulletin->config['MasterServer']['password']}

]]>

</phrase>

2. Then import the edited vbulletin-language.xml as follow:

AdminCP -> Languages & Phrases -> Download/Upload Languages -> ImportLanguage XML File

Method 2:

Connect to database and perform the following SQL query:

DELETEFROM phrase WHERE varname = 'database_ingo' 

Bkis