Actually I did read that. Particularly this page:
And as per this part:
The uploader.swf file in vB 4.1.0 and higher is fixed.
And as Freddie posted above, the uploader.swf file is not used in 3.8.7 or below.
-bash:~/vb413/clientscript/yui/uploader/assets$ md5sum uploader.swf
20fa166d664c0151c1c7fb872104068f uploader.swf
That is based on Yahoo's instructions. This md5sum hash also matches the hash in the patch file they make available.
And as Freddie already noted, the uploader.swf file is not used in 3.8.7 and below.
vBulletin 3.x and 4.x Redirect Security Exploit
Collapse
This topic is closed.
X
X
-
Didn't think you were attacking anyone; we are just trying to make sure we isolate a vector and address the problem. We are doing that right at this moment.
*sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?
I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?
1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.
2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.Leave a comment:
-
*sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?
2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.Leave a comment:
-
Also I could not find any tickets from you regarding any exploit issues.Leave a comment:
-
The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.Leave a comment:
-
I am still not 100% that this is the vector, investigating.
First, members were getting alerts like the following:
so that implicated the YUI on both the 3.83 forum and the 4.13 forum'
Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.
Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.
As soon as I made changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.
We then found the Yahoo warning and the digitalpoint instructiuons and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.
Both forums are now running smoothly. No more redirects. No more malware alertys. Traffic back up to normal levels.Leave a comment:
-
First, members were getting alerts like the following:
3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.
Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.
As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.
We then found the Yahoo warning and the digitalpoint instructions and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.
Both forums are now running smoothly. No more redirects. No more malware alerts. Traffic back up to normal levels.Leave a comment:
-
Can you provide me with proof or documentation of the attack on your site that came via YUI. i suspect that the cookie based redirect hack you've described earlier matches up with the cookie redirect hack reported and patched in VBSEO.Leave a comment:
-
Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.
Among other things, vB 4.13 is still using version 2.7.0 of the YUI despite the fact that the latest YUI is 2.9.0, and Yahoo is clearly advising users of the libraries to upgrade to at least 2.8.2.Leave a comment:
-
I have been told this specific exploit is not applicable to 4.1.3 to 3.x. I have asked for a more definitive statement.Leave a comment:
-
I am running or administering both 3.x and 4.x forums. The forum most clearly hit by the explouit was the latest 3.x version but I am pretty certain that I saw at least one redirect on a 4.13 installation. The redirects are intermittent which makes them harder to track, possibly cookie-based.Leave a comment:
-
Actually I have been told this was fixed in 4.1.0. Still waiting for more clarification.Leave a comment:
-
We expect to have a patch shortly. Meanwhile you should switch to Google YUI for now.Leave a comment:
-
See also http://articles.digitalpoint.com/con...ze-vBulletin-4
Use YUI 2.82 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).
The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:
PHP Code:define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle
to this:
PHP Code:define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle
Leave a comment:
-
vBulletin 3.x and 4.x Redirect Security Exploit
This redirect exploit seems to have resurfaced again.
See http://developer.yahoo.com/yui/
Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action — review the bulletin for full details.
- Admin CP >> Settings >> Options >> Server Settings and Optimization Options
- Scroll down to Use Remote YUI
- Set this to Google
Tags: None
Related Topics
Collapse
-
by CorbinHHi at vB,
I am planning to update our site Australian Photoholics Forum "ausph.com" to SSL.
Last time we tried this, we broke our site which was down for a week!
Everyone here...-
Channel: Support Issues & Questions
Wed 24 Oct '18, 1:36am -
-
by fionixHi,
I was just wondering how you get the URL shorten in Vbulletin 5.1.7 ?
From what I can see you have it done here at vbulletin.com - see url below... there is this number (which...-
Channel: Support Issues & Questions
Wed 22 Apr '15, 3:28am -
-
by zyuzGood afternoon.I set ssl whatever forum was on the https protocol, prescribed in your permanent address offline via https, but do not know how to do so, that would be a http version offline (http://f...
-
Channel: Support Issues & Questions
Tue 5 Aug '14, 3:41am -
Leave a comment: