vBulletin 3.8.6, the last "bug fix" release for vBulletin 3 is now available for download. - Dynashox -
Only 11 bugs they have fixed for this version, http://tracker.vbulletin.com/secure/IssueNavigator.jspa?mode=hide&requestId=10191 - Dynashox -
If you have vb 4, you can download all updates. If you paid $50 to buy 3.8.6, you can download vb 4.0.x until your 3 months runs out. Chances are this is worthless since vb 3.0.5 will change significantly and there are over 1,000 bugs in the tracker. 4.0.6 alone has roughly 50 bugs on its agenda to fix alone. Also be aware that if you installed the long awaited 3.8.6 upgrade, you have also installed an embarrassing security exploit in the FAQ that can allow an unscrupulous person to retrieve your user name and password for your forum. There is a patch to remove the offending code. I'd love to know how that could possibly have made it into vBulletin's first upgrade to vBulletin 3 in a year... and supposedly there weren't even a dozen changes/fixes.
This version is exploitable. You have to get the patch from yesterday if you don't want to get pwnd. Great job VB at sucking arse for paid software.
Not quite, it reveals the details of the mysql database, which as far as I am aware is pretty useless unless you have access to the server or the mysql database has been set up for remote access. Obviously it's not great and I'm sure some people used the same username and password for their mysql database as their admin account on their forum, so it's possible some forums have been compromised, but it's not quite as bad as the reports are making out.
I meant mysql info for your forum which is incredibly dangerous and embarrassing. If someone finds even a small hole in your server, which from people having fun it seems to be quite many, your forum data is completely vulnerable. Once you have the mysql access info it's a piece of cake to access the admin account on the forum with just a few steps.
Pretty useless? - db allows remote connections? You're screwed - site has phpmyadmin somewhere, or another user on the same box? You're screwed I am sure nobody wants their site dump being for sale on flippa or other web sites..
Of course you can argue that MySQL should not allow any connection from random IPs and that the MySQL username/password shouldn't be used for other things (like admin accounts). But that isn't really the point... exposing *anything* that only the administrator should see is BAD (anything from config.php file for example). I could also argue it doesn't affect me since I upgraded to vBulletin 4.x. Also not the point though.
i guess such exploits are bound to happen when we talk about a software with so many multiple functionality.. as long as they are detected fast before damage is done it shouldnt be an issue.. unless offcourse hackers come to know of it first
This has nothing to do with multiple functionality or an exploit that is discovered by a hacker. There is no reason why (1) this kind of code should have been where it was in the first place - it's the keys to the castle not a creative exploit, and (2) how the QA team didn't catch this before it went out the door.