Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels.

The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored. The forumware giant issued a patch on Wednesday, but a simple Google search on Friday revealed that scores of users have yet to apply it, meaning their administrative user names and passwords are wide open.

Exploiting the bug is as easy as entering “database” (minus quotes) in the search box of a forum's FAQ page. Vulnerable sites respond by returning everything that's needed to view sensitive user information or make administrative changes.

The patch updates users to version 3.8.6 PL1. Users who want to make sure the fix has worked should check for the string “database_ingo,” which is removed once the new version has correctly been installed. ®

Related stories

• Forumware giant vBulletin sues ex-devs (again) (4 November 2010)
• Updated vBulletin sues ex-devs over 'from scratch' competitor (5 October 2010)
• Updated vBulletin denies busting downloads in paid-up protester ban (30 October 2009)
• Forum king vBulletin muzzles paid-up protesters (28 October 2009)