My site has been hacked. It was my fault because I had weak permissions plus a script that allowed to upload images without any further verification. As a result of this I got a jpg that contained a shell script which got executed via RFI.

As countermeasures I secured the permissions, but I also disallowed any means of image uploading including vbulletin custom avatars, signatures, profilepics and user albums.

Perhaps I'm going too far so I wanted to ask. Are VB img upload scripts secured against gifs containing malicious php code?

If such a bug was reported it would be fixed and a new version would be issued. That's a rather big security hole so I'm sure a patch would come out very quickly.

As mentioned, RFI is a very big issue - and I'm sure the devs would have already looked at it. vBulletin itself should not be vulnerabvle to RFI, however, this does not always ring true for modifications.