vBulletin 4 (up to 4.1.2) search.php SQL injection
Description
vBulletin versions 4.0.x through 4.1.2 contain an SQL injection vulnerability in the search.php file. This flaw allows unauthenticated remote attackers to inject malicious SQL commands into database queries through improperly sanitized user input, potentially compromising the entire application database.
Remediation
Apply the official vBulletin 4.x security patch immediately by following these steps:
1. Download the security patch from the official vBulletin forum or member area
2. Back up your current vBulletin installation and database before applying any changes
3. Upload the patched files to your server, overwriting the vulnerable search.php and related files
4. Verify the patch installation by checking the vBulletin version in the AdminCP
5. If patching is not immediately possible, consider temporarily disabling the search functionality until the patch can be applied
For long-term security, upgrade to the latest stable version of vBulletin, which includes this and other security fixes. Additionally, implement prepared statements with parameterized queries in any custom code to prevent SQL injection vulnerabilities.