Announcement

Collapse
No announcement yet.

vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] vBulletin 3.x and 4.x Redirect Security Exploit

    This redirect exploit seems to have resurfaced again.

    See http://developer.yahoo.com/yui/

    Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action review the bulletin for full details.
    In the meantime, do this:
    1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
    2. Scroll down to Use Remote YUI
    3. Set this to Google
    Psychlinks Psychology Self-Help & Mental Health Support Forum
    Tourette Syndrome Foundation of Canada Support Forum
    Local Search Forum

  • #2
    See also http://articles.digitalpoint.com/con...ze-vBulletin-4

    Use YUI 2.82 (or 2.9.x)
    vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

    The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:

    PHP Code:
    define('YUI_VERSION''2.7.0'); // define the YUI version we bundle 


    to this:

    PHP Code:
    define('YUI_VERSION''2.8.2'); // define the YUI version we bundle 
    Psychlinks Psychology Self-Help & Mental Health Support Forum
    Tourette Syndrome Foundation of Canada Support Forum
    Local Search Forum

    Comment


    • #3
      We expect to have a patch shortly. Meanwhile you should switch to Google YUI for now.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment


      • #4
        Actually I have been told this was fixed in 4.1.0. Still waiting for more clarification.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          I am running or administering both 3.x and 4.x forums. The forum most clearly hit by the explouit was the latest 3.x version but I am pretty certain that I saw at least one redirect on a 4.13 installation. The redirects are intermittent which makes them harder to track, possibly cookie-based.
          Psychlinks Psychology Self-Help & Mental Health Support Forum
          Tourette Syndrome Foundation of Canada Support Forum
          Local Search Forum

          Comment


          • #6
            I have been told this specific exploit is not applicable to 4.1.3 to 3.x. I have asked for a more definitive statement.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment


            • #7
              Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.

              Among other things, vB 4.13 is still using version 2.7.0 of the YUI despite the fact that the latest YUI is 2.9.0, and Yahoo is clearly advising users of the libraries to upgrade to at least 2.8.2.
              Psychlinks Psychology Self-Help & Mental Health Support Forum
              Tourette Syndrome Foundation of Canada Support Forum
              Local Search Forum

              Comment


              • #8
                Originally posted by djbaxter View Post
                Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13
                Can you provide me with proof or documentation of the attack on your site that came via YUI. i suspect that the cookie based redirect hack you've described earlier matches up with the cookie redirect hack reported and patched in VBSEO.
                anders | vbulletin team | check out the new vbulletin facebook app
                Proudly vBulletin'ing since 2001
                Please be my friend!
                http://www.twitter.com/inetskunkworks
                vBulletin Performance Articles:
                Click here to read

                Comment


                • #9
                  First, members were getting alerts like the following:

                  3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
                  so that implicated the YUI on both the 3.83 forum and the 4.13 forums.

                  Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

                  Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

                  As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

                  We then found the Yahoo warning and the digitalpoint instructions and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

                  Both forums are now running smoothly. No more redirects. No more malware alerts. Traffic back up to normal levels.
                  Psychlinks Psychology Self-Help & Mental Health Support Forum
                  Tourette Syndrome Foundation of Canada Support Forum
                  Local Search Forum

                  Comment


                  • #10
                    I am still not 100% that this is the vector, investigating.

                    Originally posted by djbaxter View Post
                    First, members were getting alerts like the following:



                    so that implicated the YUI on both the 3.83 forum and the 4.13 forum'

                    Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

                    Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

                    As soon as I made changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

                    We then found the Yahoo warning and the digitalpoint instructiuons and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

                    Both forums are now running smoothly. No more redirects. No more malware alertys. Traffic back up to normal levels.
                    anders | vbulletin team | check out the new vbulletin facebook app
                    Proudly vBulletin'ing since 2001
                    Please be my friend!
                    http://www.twitter.com/inetskunkworks
                    vBulletin Performance Articles:
                    Click here to read

                    Comment


                    • #11
                      The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.
                      vBulletin Developer since Dec 2000

                      Comment


                      • #12
                        Originally posted by djbaxter View Post
                        As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.
                        Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

                        Also I could not find any tickets from you regarding any exploit issues.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment


                        • #13
                          *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?

                          Originally posted by Freddie Bingham View Post
                          The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.
                          I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?

                          Originally posted by Steve Machol View Post
                          Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

                          Also I could not find any tickets from you regarding any exploit issues.
                          1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

                          2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.
                          Psychlinks Psychology Self-Help & Mental Health Support Forum
                          Tourette Syndrome Foundation of Canada Support Forum
                          Local Search Forum

                          Comment


                          • #14
                            Didn't think you were attacking anyone; we are just trying to make sure we isolate a vector and address the problem. We are doing that right at this moment.



                            Originally posted by djbaxter View Post
                            *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?



                            I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?



                            1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

                            2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.
                            anders | vbulletin team | check out the new vbulletin facebook app
                            Proudly vBulletin'ing since 2001
                            Please be my friend!
                            http://www.twitter.com/inetskunkworks
                            vBulletin Performance Articles:
                            Click here to read

                            Comment


                            • #15
                              Originally posted by djbaxter View Post
                              I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?
                              Actually I did read that. Particularly this page:

                              http://yuilibrary.com/support/2.8.2/

                              And as per this part:

                              Click image for larger version

Name:	0bbb64e77819ff285eb71cbde99b932d.png
Views:	1
Size:	34.7 KB
ID:	49436

                              The uploader.swf file in vB 4.1.0 and higher is fixed.

                              And as Freddie posted above, the uploader.swf file is not used in 3.8.7 or below.

                              -bash:~/vb413/clientscript/yui/uploader/assets$ md5sum uploader.swf
                              20fa166d664c0151c1c7fb872104068f uploader.swf


                              That is based on Yahoo's instructions. This md5sum hash also matches the hash in the patch file they make available.

                              And as Freddie already noted, the uploader.swf file is not used in 3.8.7 and below.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              Working...
                              X