vBulletin customer number disclosure
Description
vBulletin versions 4.1 and later, as well as version 5.x, contain an information disclosure vulnerability in the installation upgrade scripts. The /install/upgrade.php file (or /core/install/upgrade.php in version 5.x) exposes the customer license number to unauthenticated users when accessed directly. This occurs because the installation directory is often left on production systems after deployment, allowing attackers to retrieve sensitive licensing information without authentication.
Remediation
Immediately remove the installation directories from your production vBulletin deployment. The specific directories to delete depend on your version:
- vBulletin 4.1 - 4.x: Delete the
/install/directory - vBulletin 5.x: Delete the
/core/install/directory
To verify the directories have been removed, attempt to access the upgrade script directly via your web browser. You should receive a 404 error:
https://your-domain.com/install/upgrade.php https://your-domain.com/core/install/upgrade.php
As a security best practice, installation and upgrade directories should always be removed after completing the installation process. While vBulletin 3.x and pre-4.1 versions are not affected by this specific vulnerability, removing their installation directories is still recommended to minimize the attack surface.