More vBulletin Security Flaws – Yes Please, May I Have Another?

As many are now aware, a recent security flaw was discovered in vBulletin 3.8.6 which could potentially allow a hacker to gain crucial information such as the MySQL username and password. Although Internet Brands was quick to release a patch and fix this issue, the question still stands – How did this happen?

No doubt the die-hard IB fans will say it’s perfectly normal and expected that software have some bugs, as it’s part of the process, and I agree with this to a point, but to have a flaw as big as this is completely unacceptable. We’re not talking about a minor bug, we are talking about extremely critical administrator information being potentially exposed to anyone in a few simple steps to take advantage of this flaw. How does this make it past QA, and if they are missing flaws this extreme, what else lies beneath that we have yet to discover? With vBulletin 3 being as mature as it is, should we not have higher expectations, or is that asking too much?

Bravo, you have really outdone yourself this time Internet Brands.

What do the rest of you think? Is this something that’s acceptable or are we blowing this out of proportion?

  • MaXe

    I believe this may have been a bad way to gain massive media attention.

    vBulletin is well-coded and already hard to exploit, this bug was introduced in version 3.8.6 and patched (fixed) in 3.8.6 PL1. So, for those individuals that didn’t apply the maintenance patches in order to fix minor bugs, well they’re still secure.

    I am amazed that this “phrase” within vBulletin could slip into the final release, which appears to be either a media stunt or a developer mistake.

  • vBulletin FAQ

    This is what happens when you bring in coders who dont really know the product. Whats more, 3.8.6 wasnt really a necessary update, but I believe mostly an attempt to shore up lagging vBulletin 2010 revenues.