vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts

  • Steve Machol
    replied
    Originally posted by djbaxter
    I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?
    Actually I did read that. Particularly this page:



    And as per this part:

    Click image for larger version

Name:	Screen shot 2011-05-26 at 12.58.21 PM.png
Views:	1
Size:	34.7 KB
ID:	3682322

    The uploader.swf file in vB 4.1.0 and higher is fixed.

    And as Freddie posted above, the uploader.swf file is not used in 3.8.7 or below.

    -bash:~/vb413/clientscript/yui/uploader/assets$ md5sum uploader.swf
    20fa166d664c0151c1c7fb872104068f uploader.swf


    That is based on Yahoo's instructions. This md5sum hash also matches the hash in the patch file they make available.

    And as Freddie already noted, the uploader.swf file is not used in 3.8.7 and below.

    Leave a comment:


  • IBxAnders
    replied
    Didn't think you were attacking anyone; we are just trying to make sure we isolate a vector and address the problem. We are doing that right at this moment.



    Originally posted by djbaxter
    *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?



    I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?



    1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

    2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.

    Leave a comment:


  • djbaxter
    replied
    *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?

    Originally posted by Freddie Bingham
    The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.
    I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?

    Originally posted by Steve Machol
    Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

    Also I could not find any tickets from you regarding any exploit issues.
    1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

    2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.

    Leave a comment:


  • Steve Machol
    replied
    Originally posted by djbaxter
    As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.
    Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

    Also I could not find any tickets from you regarding any exploit issues.

    Leave a comment:


  • Freddie Bingham
    replied
    The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.

    Leave a comment:


  • IBxAnders
    replied
    I am still not 100% that this is the vector, investigating.

    Originally posted by djbaxter
    First, members were getting alerts like the following:



    so that implicated the YUI on both the 3.83 forum and the 4.13 forum'

    Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

    Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

    As soon as I made changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

    We then found the Yahoo warning and the digitalpoint instructiuons and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

    Both forums are now running smoothly. No more redirects. No more malware alertys. Traffic back up to normal levels.

    Leave a comment:


  • djbaxter
    replied
    First, members were getting alerts like the following:

    3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    so that implicated the YUI on both the 3.83 forum and the 4.13 forums.

    Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

    Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

    As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

    We then found the Yahoo warning and the digitalpoint instructions and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

    Both forums are now running smoothly. No more redirects. No more malware alerts. Traffic back up to normal levels.

    Leave a comment:


  • IBxAnders
    replied
    Originally posted by djbaxter
    Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13
    Can you provide me with proof or documentation of the attack on your site that came via YUI. i suspect that the cookie based redirect hack you've described earlier matches up with the cookie redirect hack reported and patched in VBSEO.

    Leave a comment:


  • djbaxter
    replied
    Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.

    Among other things, vB 4.13 is still using version 2.7.0 of the YUI despite the fact that the latest YUI is 2.9.0, and Yahoo is clearly advising users of the libraries to upgrade to at least 2.8.2.

    Leave a comment:


  • Steve Machol
    replied
    I have been told this specific exploit is not applicable to 4.1.3 to 3.x. I have asked for a more definitive statement.

    Leave a comment:


  • djbaxter
    replied
    I am running or administering both 3.x and 4.x forums. The forum most clearly hit by the explouit was the latest 3.x version but I am pretty certain that I saw at least one redirect on a 4.13 installation. The redirects are intermittent which makes them harder to track, possibly cookie-based.

    Leave a comment:


  • Steve Machol
    replied
    Actually I have been told this was fixed in 4.1.0. Still waiting for more clarification.

    Leave a comment:


  • Steve Machol
    replied
    We expect to have a patch shortly. Meanwhile you should switch to Google YUI for now.

    Leave a comment:


  • djbaxter
    replied
    See also http://articles.digitalpoint.com/con...ze-vBulletin-4

    Use YUI 2.82 (or 2.9.x)
    vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

    The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:

    PHP Code:
    define('YUI_VERSION''2.7.0'); // define the YUI version we bundle 


    to this:

    PHP Code:
    define('YUI_VERSION''2.8.2'); // define the YUI version we bundle 

    Leave a comment:


  • djbaxter
    started a topic [Forum] vBulletin 3.x and 4.x Redirect Security Exploit

    vBulletin 3.x and 4.x Redirect Security Exploit

    This redirect exploit seems to have resurfaced again.

    See http://developer.yahoo.com/yui/

    Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action — review the bulletin for full details.
    In the meantime, do this:
    1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
    2. Scroll down to Use Remote YUI
    3. Set this to Google

Related Topics

Collapse

Working...