The Latest in IT Security

VBulleting SQL injection vulnerability – Update now


A serious SQL injection vulnerability was reported on Vbulletin (4.0.x, 4.1.0, 4.1.1 and 4.1.2) last month and we are starting to see it being used to attack and infect forums using it. The vulnerability is very simple and explained here:

Multiple vBulletin Products ‘Search Multiple Content Types’ SQL Injection Vulnerability

Multiple vBulletin products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

The following example data are available:

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

There is even a video on Youtube showing how to do it:

So if you are a Vbulletin user, update it now! If you think your site is already hacked or compromised, you can scan it here: or contact us for help.

*Thanks to Marcus Maciel for the reminder and help.

  1. leMfasseVab December 17, 2011

    How to urge multiple C category IP addresses?

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments