vBulletin 5.6.1 nodeId SQL injection
Description
vBulletin 5.6.1 and earlier versions contain a critical SQL injection vulnerability in the /ajax/api/content_infraction/getIndexableContent endpoint. Attackers can exploit this vulnerability by sending malicious SQL commands through the nodeId[nodeid] POST parameter without requiring authentication. This vulnerability allows remote attackers to directly manipulate database queries, potentially compromising the entire vBulletin installation and its underlying database.
Remediation
Apply the appropriate security patch immediately based on your current vBulletin version:
- For vBulletin 5.6.1: Install Patch Level 1
- For vBulletin 5.6.0: Install Patch Level 1
- For vBulletin 5.5.6: Install Patch Level 1
- For versions prior to 5.5.6: Upgrade to vBulletin 5.5.6 or later, then apply Patch Level 1
To apply patches:
- Back up your vBulletin installation and database before making changes
- Download the appropriate patch from the official vBulletin member area
- Upload the patch files to your vBulletin installation directory, overwriting existing files
- Run the upgrade script by navigating to yoursite.com/core/install/upgrade.php
- Follow the on-screen instructions to complete the upgrade process
- Verify the patch installation by checking the version number in the AdminCP
As an interim mitigation measure, consider restricting access to the /ajax/api/content_infraction/getIndexableContent endpoint at the web server level until patches can be applied.