AOH :: HP Unsorted V :: B1A-1562.HTM

vBulletin - Critical Information Disclosure
vBulletin - Critical Information Disclosure
vBulletin - Critical Information Disclosure

Versions Affected: 3.8.6 (Only!)

Content publishing, search, security, and more=97vBulletin has it all. Whether
it=92s available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.

External Links: 

-:: The Advisory ::-
vBulletin is prone to information disclosure of the entire database
credentials used in config.php via the faq.php file.

By searching for "database" on a vulnerable installation of vBulletin
an attacker is shown the information mentioned above.

-:: Solution ::-
A patch is available from 

Alternatively, search for "database_ingo" in the Phrase Manager
within the Admin Control Panel, and delete or edit all critical details.

Disclosure Information:
- vBulletin Security Notice & Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July

After searching the Internet a bit I discovered that I wasn't the
only one which knew about this bug. Please note that I give full
credit to the rightful finder / owner of this exploit.


All of the best,

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to