Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   vBulletin Vendors:   Jelsoft Enterprises
vBulletin 'backup.php' May Disclose Backup File to Remote Users
SecurityTracker Alert ID:  1014805
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 29 2005
Impact:   Disclosure of system information, Disclosure of user information

Version(s): 3.0
Description:   M@fia from crouz security team reported a vulnerability in vBulletin. A remote user may be able to obtain forum backups.

The 'backup.php' script creates a database backup file that is not password protected and is not encrypted. If the administrator selects the same directory as the forum for the location of the backup file, then a remote user that can guess the filename can download the file to obtain usernames, hashed passwords, and other information.

[Editor's note: The example shown in the vendor's documentation uses a directory in the web document path.]

Impact:   A remote user may be able to obtain forum backups.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  security hole in all version ofvbulletin forum


a security bug in backup.php in all version of  vbulletin forums
the backup file is'nt have any password
and anyone can see this
it has all hashed passwords
mapper software can find them

please reply this mail quickly

If you need more information mail to me
by M@fia
crouz security team

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC