Dear Customers,

A possible security issue within vbulletin has been identified. There isn't a patch so to speak, so I don't think vb will be making a release notice about this. I just want to make sure all of our customers are aware of the potential risk in leaving user names wide open.

Floren brought this up here:
Security flaw found in all vBulletin versions - Axivo Forums

There is a discussion thread on vb about the issue here along with a regex fix for user names:
vBulletin Community Forum


Quote:
The only fix available is to filter your usernames and allow only alphanumeric characters, when a guest tries to register.
Go to vBulletin Options and select the User Registration Options menu.
Into Username Regular Expression field, enter:
Code:
^[a-zA-Z0-9@\._ ]+$





My article written years ago uses a similar rule, but i allow just spaces instead of . _ and @ along with the space. With vbseo, spaces will turn into "-", and so will "_" in the url, so it's a good idea to not allow both spaces and any other semi-special character if you don't use id's in any member area rewrite settings. Your choice.




Posted on vBSEO.com