Auditing last night's logs I discovered an attempt to download every user's email and hashed password, one by one. I can't tell for certain whether they were able to succeed, I'm hoping that due to the nature of the error it was triggering they didn't/couldn't, but can not rely on vBulletin's security to have actually prevented it since it was a (another) hole in their search code that allowed the attack in the first place.
I upgraded to the newest version that had the search engine patched, but due to the hasty nature of the upgrade we're once again experiencing the pain of things going wonky from version conflicts. I'll be working to address those as I can, and looking for pieces of code that fell out.
All users are undergoing mandatory password changes again for their own safety, and it's recommended any of you that are using the same password in your email or anywhere else change that as well as a precaution.
Known Broken Bits: Buttons, Smilies, Editor Buttons, Private Message Expansions from the Market, Users Online missing, editing posts is once again not saving via AJAX, lots of random jacked up crap, I know.
Bookmarks