vBulletin's

vBulletin

exploit

vBulletin

vBulletin

A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database.

NetIQ)

Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.

It seems that openSUSE team is even not aware about the data breach , but we have informed them and also trying to contact the hacker for further information on this.The Pakistani Hacker confirmed is that has uploaded a PHP shell on the forum server using his own Privatezero-day exploit, that allows him to browse, read or write/overwrite any file on the Forum server without root privileges.There are a few screenshots shared by hacker with us:He also claimed to have the full access to the user's database, however he has promised not to disclose the database dump because the purpose of the hack is only to highlight the security weakness.Another important claim by the hacker that5.0.5 latest version is also vulnerable to his zero-day exploit and there is no patch yet available to fix it. He noticed that after our news report, the Server administrator has removed the defaced page, but to proof hishe has uploaded another file on the server again:There are thousands of Forums usingsoftware and many of them are huge huge.. Well hacker has not shared any information about the vulnerability, but we are sure that officialteam will consider this critical threat to fix with high priority.openSUSE team has informed the users' via tweets about the breach,"."But they have mentioned that, "After openSUSE's tweet, the hacker has shared some sample database screenshots on his Facebook account to prove the database hack. We have partially blur the screenshot before sharing, to keep sensitive data secure, as shown above.In a blog post , openSUSE team confirmed that their website and database have been hacked, but users' passwords are not compromised.The team explained, they are using single-sign-on system (Access Manager fromthat manage the real passwords.