Announcement

Collapse
No announcement yet.

vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    OK. You guys obviously know the inner workings of vBulletin better than I do. Nonetheless, the malware alert I noted above

    3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    occurred on my 4.13 installation.

    And, switching to the Google YUI files removed the redirect issue on the 3.83 forum.

    It still seems to me that switching to the 2.90 stream would avoid these issues. Why doesn't vBulletin do that?
    Psychlinks Mental Health Support Forum
    Local Search Forum

    Comment


    • #17
      We are investigating this.

      Originally posted by djbaxter View Post
      OK. You guys obviously know the inner workings of vBulletin better than I do. Nonetheless, the malware alert I noted above



      occurred on my 4.13 installation.

      And, switching to the Google YUI files removed the redirect issue on the 3.83 forum.

      It still seems to me that switching to the 2.90 stream would avoid these issues. Why doesn't vBulletin do that?
      anders | vbulletin team | check out the new vbulletin facebook app
      Proudly vBulletin'ing since 2001
      Please be my friend!
      http://www.twitter.com/inetskunkworks
      vBulletin Performance Articles:
      Click here to read

      Comment


      • #18
        I really don't know what caused that, but as per the Yahoo page our uploader.swf is fixed for this exploit. Did that happen on your forum running vBSEO? Have upgraded to the latest version as per this: http://www.vbseo.com/f5/vbseo-securi...3-5-2-a-49106/

        As for 2.9.0, we are already running the fixed uploader.swf file as per Yahoo itself. Therefore there is no 'issue'. Upgrading to a higher version will require a complete Q&A of course.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #19
          We are exploring moving to 2.9
          anders | vbulletin team | check out the new vbulletin facebook app
          Proudly vBulletin'ing since 2001
          Please be my friend!
          http://www.twitter.com/inetskunkworks
          vBulletin Performance Articles:
          Click here to read

          Comment


          • #20
            Originally posted by Steve Machol View Post
            I really don't know what caused that, but as per the Yahoo page our uploader.swf is fixed for this exploit. Did that happen on your forum running vBSEO? Have upgraded to the latest version as per this: http://www.vbseo.com/f5/vbseo-securi...3-5-2-a-49106/
            Yes and I'm running vBSEO 3.60.
            Last edited by djbaxter; Thu 26th May '11, 12:25pm.
            Psychlinks Mental Health Support Forum
            Local Search Forum

            Comment


            • #21
              Originally posted by djbaxter View Post
              Yes and I'm running vBSEO 2.60.
              You should be on absolute latest version of VBSEO, 2.6, if I am not mistaken is before Dinosaurs roamed the earth.
              anders | vbulletin team | check out the new vbulletin facebook app
              Proudly vBulletin'ing since 2001
              Please be my friend!
              http://www.twitter.com/inetskunkworks
              vBulletin Performance Articles:
              Click here to read

              Comment


              • #22
                Originally posted by IBxAnders View Post
                You should be on absolute latest version of VBSEO, 2.6, if I am not mistaken is before Dinosaurs roamed the earth.
                Sorry. That was a typo. I meant 3.60. Corrected above as well.
                Psychlinks Mental Health Support Forum
                Local Search Forum

                Comment


                • #23
                  Originally posted by djbaxter View Post
                  Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.
                  The affected files do not exist in any vb 3.x version. Only the uploader.swf exists in vb 4.x. Charts.swf is not part of any vb version.
                  Baby, I was born this way

                  Comment


                  • #24
                    I don't care whether those files do or do not exist in any 3.x version. I'm telling you that whatever caused this problem occurred in a 3.83 installation and was related to the vbulletin 3.x and Yahoo YUI files.

                    To be honest, what it ISN'T is of no real interest to me. Again, I'm reporting a problem and a resolution or workaround. I'm not a vBulletin coder and I'll leave it up to those who work for vBulletin to sort it out. In the meantime, for others who may have been affected or who may be affected, this solution worked for us. And, until vBulletin can come with something better, if I were running a forum, 3.x or 4.x, that had not had this workaround applied, I'd be worried.
                    Psychlinks Mental Health Support Forum
                    Local Search Forum

                    Comment


                    • #25
                      Originally posted by djbaxter View Post
                      I don't care whether those files do or do not exist in any 3.x version.
                      Whether you care or not, you cannot exploit a file that simply does not exist.
                      Baby, I was born this way

                      Comment


                      • #26
                        Please re-read what I have posted. I don't know precisely WHAT file was exploited and I haven't claimed to know. I have reported in some detail what occurred, what I observed, what I tried as a remedy, and how that remedy worked.

                        You can now take that information and do whatever you wish with it. If you have an explanation, I'm all ears. I'm not really interested in what does NOT explain it.

                        The reality is that it's now up to vBulletin to determine why thos occurred. My forums are now safe, as far as I can tell. If that changes, I will be sure to update this thread.
                        Psychlinks Mental Health Support Forum
                        Local Search Forum

                        Comment


                        • #27
                          Originally posted by djbaxter View Post
                          Please re-read what I have posted.
                          I did. Im specifically referring to this part.

                          Well I can tell you from personal experience that it most definitely IS applicable to 3.x
                          The specific exploit is not apliicable to 3.x, the affected files simply dont exist in it.

                          I am pleased for you that overall you now seem be ok, hackers are a real PITA - and it could be a combination of steps you have taken, or maybe they simply moved on, who knows (apart from them) - but the fact remains that the YUI issue you are referring to involves files that simply dont exist in vb 3.x releases.
                          Baby, I was born this way

                          Comment


                          • #28
                            The issue reported by user is that VB3 and VB4 are using YUI 2.7.0 ; which is reported to be vulnerable to exploits.

                            The original alert he referenced was for an uploader file; and this was patched a while ago.

                            We are now exploring the update to YUI 2.9.0 to err on the side of security even though we have not confirmed the issue.
                            anders | vbulletin team | check out the new vbulletin facebook app
                            Proudly vBulletin'ing since 2001
                            Please be my friend!
                            http://www.twitter.com/inetskunkworks
                            vBulletin Performance Articles:
                            Click here to read

                            Comment


                            • #29
                              I have amended the class_core.php file with your instructions and put 2.8.2 and saved the file, is there anything else I need to do for 3.8.6 to protect myself from this redirect exploit?

                              Comment


                              • #30
                                Originally posted by SighK View Post
                                I have amended the class_core.php file with your instructions and put 2.8.2 and saved the file, is there anything else I need to do for 3.8.6 to protect myself from this redirect exploit?
                                Yes. Load the YUI externally from Google.
                                Psychlinks Mental Health Support Forum
                                Local Search Forum

                                Comment

                                Related Topics

                                Collapse

                                Working...
                                X