vBulletin 3.8.6 Credential Disclosure

`Versions Affected: 3.8.6 (Only!)  
  
Info:  
Content publishing, search, security, and more—vBulletin has it all. Whether  
it’s available features, support, or ease-of-use, vBulletin offers the most for  
your money. Learn more about what makes vBulletin the choice for people  
who are serious about creating thriving online communities.  
  
External Links:  
http://www.vbulletin.com/  
  
  
-:: The Advisory ::-  
vBulletin is prone to information disclosure of the entire database  
credentials used in config.php via the faq.php file.  
  
By searching for "database" on a vulnerable installation of vBulletin  
an attacker is shown the information mentioned above.  
  
-:: Solution ::-  
A patch is available from http://members.vbulletin.com  
  
Alternatively, search for "database_ingo" in the Phrase Manager  
within the Admin Control Panel, and delete or edit all critical details.  
  
  
Disclosure Information:  
- vBulletin Security Notice & Patch: 22nd July 2010  
- Vulnerability Researched and Disclosed: 22nd July  
  
Note:  
After searching the Internet a bit I discovered that I wasn't the  
only one which knew about this bug. Please note that I give full  
credit to the rightful finder / owner of this exploit.  
  
References:  
http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html  
http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-3.8.6-PL1  
  
  
  
All of the best,  
MaXe  
`