CVE-2006-4271

Name of the Vulnerable Software and Affected Versions vBulletin version 3.5.4

Description A remote file inclusion issue in the install/upgrade 301.php file allows remote attackers to execute arbitrary PHP code via a URL in the step parameter. However, the vendor has disputed this issue, stating that the default vBulletin requires authentication prior to the usage of the upgrade system.

Recommendations For version 3.5.4, consider restricting access to the install/upgrade 301.php file until the dispute is resolved or further guidance is provided. As a temporary workaround, ensure that authentication is properly enforced prior to the usage of the upgrade system.