rowan194 - 10:52 pm on Jul 27, 2010 (gmt 0)
I did a little hunting with Google and after a few minutes found details of the "hack." I thought it may have been some sort of PHP injection to force it to reveal an arbitrary variable, but it is surprisingly simple.
Thankfully my version doesn't seem to be affected; I tried both the "hack" method and checking the particular install file for certain strings.
My db server disallows remote logins anyway, the worst that could have happened is they would be able to see the (unique) user/pass for vbulletin...