The Latest in IT Security

VBulleting SQL injection vulnerability – Update now


A serious SQL injection vulnerability was reported on Vbulletin (4.0.x, 4.1.0, 4.1.1 and 4.1.2) last month and we are starting to see it being used to attack and infect forums using it. The vulnerability is very simple and explained here:

Multiple vBulletin Products ‘Search Multiple Content Types’ SQL Injection Vulnerability

Multiple vBulletin products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

The following example data are available:

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

There is even a video on Youtube showing how to do it:

So if you are a Vbulletin user, update it now! If you think your site is already hacked or compromised, you can scan it here: or contact us for help.

*Thanks to Marcus Maciel for the reminder and help.

  1. leMfasseVab December 17, 2011

    How to urge multiple C category IP addresses?

Leave a reply


MONDAY, JULY 16, 2018



Latest Comments

Social Networks