vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • djbaxter
    Senior Member
    • Aug 2006
    • 1418
    • 4.2.5

    [Forum] vBulletin 3.x and 4.x Redirect Security Exploit

    This redirect exploit seems to have resurfaced again.

    See http://developer.yahoo.com/yui/

    Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action — review the bulletin for full details.
    In the meantime, do this:
    1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
    2. Scroll down to Use Remote YUI
    3. Set this to Google
    Psychlinks Web Services Affordable Web Design & Site Management
    Specializing in Small Businesses and vBulletin/Xenforo Forums
  • djbaxter
    Senior Member
    • Aug 2006
    • 1418
    • 4.2.5

    #2
    See also http://articles.digitalpoint.com/con...ze-vBulletin-4

    Use YUI 2.82 (or 2.9.x)
    vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

    The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:

    PHP Code:
    define('YUI_VERSION''2.7.0'); // define the YUI version we bundle 


    to this:

    PHP Code:
    define('YUI_VERSION''2.8.2'); // define the YUI version we bundle 
    Psychlinks Web Services Affordable Web Design & Site Management
    Specializing in Small Businesses and vBulletin/Xenforo Forums

    Comment

    • Steve Machol
      Former Customer Support Manager
      • Jul 2000
      • 154488

      #3
      We expect to have a patch shortly. Meanwhile you should switch to Google YUI for now.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        Actually I have been told this was fixed in 4.1.0. Still waiting for more clarification.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • djbaxter
          Senior Member
          • Aug 2006
          • 1418
          • 4.2.5

          #5
          I am running or administering both 3.x and 4.x forums. The forum most clearly hit by the explouit was the latest 3.x version but I am pretty certain that I saw at least one redirect on a 4.13 installation. The redirects are intermittent which makes them harder to track, possibly cookie-based.
          Psychlinks Web Services Affordable Web Design & Site Management
          Specializing in Small Businesses and vBulletin/Xenforo Forums

          Comment

          • Steve Machol
            Former Customer Support Manager
            • Jul 2000
            • 154488

            #6
            I have been told this specific exploit is not applicable to 4.1.3 to 3.x. I have asked for a more definitive statement.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            • djbaxter
              Senior Member
              • Aug 2006
              • 1418
              • 4.2.5

              #7
              Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.

              Among other things, vB 4.13 is still using version 2.7.0 of the YUI despite the fact that the latest YUI is 2.9.0, and Yahoo is clearly advising users of the libraries to upgrade to at least 2.8.2.
              Psychlinks Web Services Affordable Web Design & Site Management
              Specializing in Small Businesses and vBulletin/Xenforo Forums

              Comment

              • IBxAnders
                Senior Member
                • Aug 2001
                • 1172
                • 4.0.x

                #8
                Originally posted by djbaxter
                Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13
                Can you provide me with proof or documentation of the attack on your site that came via YUI. i suspect that the cookie based redirect hack you've described earlier matches up with the cookie redirect hack reported and patched in VBSEO.
                anders | vbulletin team | check out the new vbulletin facebook app
                Proudly vBulletin'ing since 2001
                Please be my friend!
                http://www.twitter.com/inetskunkworks
                vBulletin Performance Articles:
                Click here to read

                Comment

                • djbaxter
                  Senior Member
                  • Aug 2006
                  • 1418
                  • 4.2.5

                  #9
                  First, members were getting alerts like the following:

                  3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
                  so that implicated the YUI on both the 3.83 forum and the 4.13 forums.

                  Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

                  Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

                  As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

                  We then found the Yahoo warning and the digitalpoint instructions and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

                  Both forums are now running smoothly. No more redirects. No more malware alerts. Traffic back up to normal levels.
                  Psychlinks Web Services Affordable Web Design & Site Management
                  Specializing in Small Businesses and vBulletin/Xenforo Forums

                  Comment

                  • IBxAnders
                    Senior Member
                    • Aug 2001
                    • 1172
                    • 4.0.x

                    #10
                    I am still not 100% that this is the vector, investigating.

                    Originally posted by djbaxter
                    First, members were getting alerts like the following:



                    so that implicated the YUI on both the 3.83 forum and the 4.13 forum'

                    Additionally, we were seeing traffic drops and redirects to http://file2store.info/download.php?id=038CBCD4, more frequently with the 3.83 forum.

                    Given the YUI link, I checked both forums. The 4.13 forum was accessing the YUI from Yahoo. I changed it to Google. The 3.83 was accessing the vBulletin supplied 2.7.0 files. I changed that one to Google as well.

                    As soon as I made changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.

                    We then found the Yahoo warning and the digitalpoint instructiuons and as a precaution also made the changes to class_core.php to update the YUI version to 2.9.0.

                    Both forums are now running smoothly. No more redirects. No more malware alertys. Traffic back up to normal levels.
                    anders | vbulletin team | check out the new vbulletin facebook app
                    Proudly vBulletin'ing since 2001
                    Please be my friend!
                    http://www.twitter.com/inetskunkworks
                    vBulletin Performance Articles:
                    Click here to read

                    Comment

                    • Freddie Bingham
                      Former vBulletin Developer
                      • May 2000
                      • 14057
                      • 1.1.x

                      #11
                      The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.

                      Comment

                      • Steve Machol
                        Former Customer Support Manager
                        • Jul 2000
                        • 154488

                        #12
                        Originally posted by djbaxter
                        As soon as I changed the settings to load the YUI from Google, both the malware alerts and the redirects stopped. This was immediate. Nothing else was changed.
                        Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

                        Also I could not find any tickets from you regarding any exploit issues.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment

                        • djbaxter
                          Senior Member
                          • Aug 2006
                          • 1418
                          • 4.2.5

                          #13
                          *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?

                          Originally posted by Freddie Bingham
                          The files patched in the yui exploit aren't part of vB3. The uploader wasn't introduced until vB4 and that was patched in 4.1.0.
                          I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?

                          Originally posted by Steve Machol
                          Which forums exactly? There are two in your account - both are running 4.1.3 and one is also running vBSEO.

                          Also I could not find any tickets from you regarding any exploit issues.
                          1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

                          2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.
                          Psychlinks Web Services Affordable Web Design & Site Management
                          Specializing in Small Businesses and vBulletin/Xenforo Forums

                          Comment

                          • IBxAnders
                            Senior Member
                            • Aug 2001
                            • 1172
                            • 4.0.x

                            #14
                            Didn't think you were attacking anyone; we are just trying to make sure we isolate a vector and address the problem. We are doing that right at this moment.



                            Originally posted by djbaxter
                            *sigh* Look: I'm not attacking anyone here. I'm simply trying to report a problem and how for me the problem was resolved. Can we try to be constructive rather than defensive?



                            I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?



                            1. The 3.x forum is not owned by me. I provide tech support for the owner who is fully licensed for 3.x.

                            2. I did not submit any tickets and I did not say anywhere that I did. We had a problem (or problems). We investigated it. We found a solution. I reported that solution here.
                            anders | vbulletin team | check out the new vbulletin facebook app
                            Proudly vBulletin'ing since 2001
                            Please be my friend!
                            http://www.twitter.com/inetskunkworks
                            vBulletin Performance Articles:
                            Click here to read

                            Comment

                            • Steve Machol
                              Former Customer Support Manager
                              • Jul 2000
                              • 154488

                              #15
                              Originally posted by djbaxter
                              I don't know what uploader you are talking about. As for the YUI, did you read Yahoo's statement? And are vBulletin 3.x and 4.x not still using the 2.7.0 versions of the YUI?
                              Actually I did read that. Particularly this page:



                              And as per this part:

                              Click image for larger version

Name:	Screen shot 2011-05-26 at 12.58.21 PM.png
Views:	1
Size:	34.7 KB
ID:	3682322

                              The uploader.swf file in vB 4.1.0 and higher is fixed.

                              And as Freddie posted above, the uploader.swf file is not used in 3.8.7 or below.

                              -bash:~/vb413/clientscript/yui/uploader/assets$ md5sum uploader.swf
                              20fa166d664c0151c1c7fb872104068f uploader.swf


                              That is based on Yahoo's instructions. This md5sum hash also matches the hash in the patch file they make available.

                              And as Freddie already noted, the uploader.swf file is not used in 3.8.7 and below.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              Related Topics

                              Collapse

                              Working...