Announcement

Collapse
No announcement yet.

Potential vBSEO vulnerability email from VBulletin.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Potential vBSEO vulnerability email from VBulletin.

    I am just making sure is this actually from VB, can one of the staff verify this email please?

    Dear VB License Holder,

    It has come to our attention that there may be a potential security vulnerability in VBSEO affecting the latest version of the software (and potentially other versions as well). We've attempted to contact the vendor, but as they have been non-responsive we felt we should alert the community as many of our customers use this add-on software.

    If you think you might be running a vulnerable version of the software, there is a simple fix: just comment out the following lines in the file vbseo/includes/functions_vbseo_hook.php:

    Click image for larger version

Name:	07-01-2015 19-40-54.jpg
Views:	49
Size:	106.6 KB
ID:	4248884


  • #2
    I had the same.

    Comment


    • #3
      And another one. Subscribed to this thread for further info. Would like to have some verification.
      - highly ill, but always intelligent -

      Comment


      • #4
        Hi
        Me too and no this email is not from vbulletin, just hover over the links at the bottom and the web links that pop up prove this to be spam.
        Regards
        Trevor

        Comment


        • #5
          And whilst we are on the subject of the defunct vbseo package, has any one ever tried removing it successfully without destroying their vb installation?????
          Regards
          Trevor

          Comment


          • #6
            the same here.

            Comment


            • #7
              The email looks to be from vbulletin, I'm just unsure this is actually a vulnerability, there doesn't seem to be much detail and vbulletin's fix is to just remove a block of code (which I'm unsure will break anything). It doesn't help that vbseo doesn't exist anymore.
              Cooking Forum

              Comment


              • #8
                Yes. It is same email format we have been using for the last 3 years. The issue was found by other Internet Brands verticals and also fixed by them. We're told they tested it. The email content comes from the Chief Technology Office of Internet Brands. We just forwarded to customers who it may affect.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API - Full / Mobile
                Vote for your favorite feature requests and the bugs you want to see fixed.

                Comment


                • #9
                  Originally posted by Trevor Matthews View Post
                  And whilst we are on the subject of the defunct vbseo package, has any one ever tried removing it successfully without destroying their vb installation?????
                  I'd be interested in hearing about this as well.

                  The impact of breaking long-established URLs is very bad: we had a vbSEO problem in 2013 on one forum which cut search traffic & income by nearly 50%. It took 6 months to recover.

                  Comment


                  • #10
                    Thanks for confirming! And thanks for notifying us.

                    Comment


                    • #11
                      That's interesting so those dodgy looking web links at the bottom of the email are genuine then???
                      The hover over links at the bottom of the email started click.shopping

                      How are they genuine???

                      If this is genuine can some one please upload the full details again as I deleted the email.

                      regards
                      Trevor

                      Regards
                      Trevor

                      Comment


                      • #12
                        It is a genuine email and those links are shopping links owned by vBulletin's parent company, Internet Brands.
                        I'm afraid I don't have a copy of the email, it is sent from an emailing system.
                        MARK.B | vBULLETIN SUPPORT

                        TalkNewsUK - My vBulletin 5.6.2 Demo
                        AdminAmmo - My Cloud Demo

                        Comment


                        • #13
                          If you think you might be running a vulnerable version of the software, there is a simple fix: just comment out the following lines in the file vbseo/includes/functions_vbseo_hook.php:
                          Code:
                          if(isset($_REQUEST['ajax']) && isset($_SERVER['HTTP_REFERER']))
                          $permalinkurl = $_SERVER['HTTP_REFERER'].$permalinkurl;
                          should be changed to:
                          Code:
                          // if(isset($_REQUEST['ajax']) && isset($_SERVER['HTTP_REFERER']))
                          // $permalinkurl = $_SERVER['HTTP_REFERER'].$permalinkurl;
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API - Full / Mobile
                          Vote for your favorite feature requests and the bugs you want to see fixed.

                          Comment


                          • #14
                            I am unable to understand the following part : If you are running the "Suspect File Versions" diagnostics tool, you will additionally need to generate a new MD5 sum of the above file and edit upload/includes/md5_sums_crawlability_vbseo.php to use the new MD5 sum on the line:

                            Comment


                            • #15
                              Originally posted by Wayne Luke View Post
                              If you think you might be running a vulnerable version of the software, there is a simple fix: just comment out the following lines in the file vbseo/includes/functions_vbseo_hook.php:
                              Code:
                              if(isset($_REQUEST['ajax']) && isset($_SERVER['HTTP_REFERER']))
                              $permalinkurl = $_SERVER['HTTP_REFERER'].$permalinkurl;
                              should be changed to:
                              Code:
                              // if(isset($_REQUEST['ajax']) && isset($_SERVER['HTTP_REFERER']))
                              // $permalinkurl = $_SERVER['HTTP_REFERER'].$permalinkurl;

                              I've received the email too & am looking at alternatives to vbseo. Meanwhile has anyone implemented this change. What does it do & what may stop working.

                              I also didn't understand the reference to "Suspect File Versions" diagnostics tool. Anyone?

                              Have just realised that this thread is in VB4 support. I'm still running vB 3.8.8 Does it refer to that too?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X