vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • djbaxter
    Senior Member
    • Aug 2006
    • 1418
    • 4.2.5

    #16
    OK. You guys obviously know the inner workings of vBulletin better than I do. Nonetheless, the malware alert I noted above

    3/23/2011 7:30:41 AM HTTP filter file http://myforum.com/clientscript/yui/...event.js?v=412 HTML/Iframe.B.Gen virus connection terminated - quarantined YOUR-LK4RLMSU41\Owner Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    occurred on my 4.13 installation.

    And, switching to the Google YUI files removed the redirect issue on the 3.83 forum.

    It still seems to me that switching to the 2.90 stream would avoid these issues. Why doesn't vBulletin do that?
    Psychlinks Web Services Affordable Web Design & Site Management
    Specializing in Small Businesses and vBulletin/Xenforo Forums

    Comment

    • IBxAnders
      Senior Member
      • Aug 2001
      • 1172
      • 4.0.x

      #17
      We are investigating this.

      Originally posted by djbaxter
      OK. You guys obviously know the inner workings of vBulletin better than I do. Nonetheless, the malware alert I noted above



      occurred on my 4.13 installation.

      And, switching to the Google YUI files removed the redirect issue on the 3.83 forum.

      It still seems to me that switching to the 2.90 stream would avoid these issues. Why doesn't vBulletin do that?
      anders | vbulletin team | check out the new vbulletin facebook app
      Proudly vBulletin'ing since 2001
      Please be my friend!
      http://www.twitter.com/inetskunkworks
      vBulletin Performance Articles:
      Click here to read

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #18
        I really don't know what caused that, but as per the Yahoo page our uploader.swf is fixed for this exploit. Did that happen on your forum running vBSEO? Have upgraded to the latest version as per this: http://www.vbseo.com/f5/vbseo-securi...3-5-2-a-49106/

        As for 2.9.0, we are already running the fixed uploader.swf file as per Yahoo itself. Therefore there is no 'issue'. Upgrading to a higher version will require a complete Q&A of course.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • IBxAnders
          Senior Member
          • Aug 2001
          • 1172
          • 4.0.x

          #19
          We are exploring moving to 2.9
          anders | vbulletin team | check out the new vbulletin facebook app
          Proudly vBulletin'ing since 2001
          Please be my friend!
          http://www.twitter.com/inetskunkworks
          vBulletin Performance Articles:
          Click here to read

          Comment

          • djbaxter
            Senior Member
            • Aug 2006
            • 1418
            • 4.2.5

            #20
            Originally posted by Steve Machol
            I really don't know what caused that, but as per the Yahoo page our uploader.swf is fixed for this exploit. Did that happen on your forum running vBSEO? Have upgraded to the latest version as per this: http://www.vbseo.com/f5/vbseo-securi...3-5-2-a-49106/
            Yes and I'm running vBSEO 3.60.
            Last edited by djbaxter; Thu 26 May '11, 12:25pm.
            Psychlinks Web Services Affordable Web Design & Site Management
            Specializing in Small Businesses and vBulletin/Xenforo Forums

            Comment

            • IBxAnders
              Senior Member
              • Aug 2001
              • 1172
              • 4.0.x

              #21
              Originally posted by djbaxter
              Yes and I'm running vBSEO 2.60.
              You should be on absolute latest version of VBSEO, 2.6, if I am not mistaken is before Dinosaurs roamed the earth.
              anders | vbulletin team | check out the new vbulletin facebook app
              Proudly vBulletin'ing since 2001
              Please be my friend!
              http://www.twitter.com/inetskunkworks
              vBulletin Performance Articles:
              Click here to read

              Comment

              • djbaxter
                Senior Member
                • Aug 2006
                • 1418
                • 4.2.5

                #22
                Originally posted by IBxAnders
                You should be on absolute latest version of VBSEO, 2.6, if I am not mistaken is before Dinosaurs roamed the earth.
                Sorry. That was a typo. I meant 3.60. Corrected above as well.
                Psychlinks Web Services Affordable Web Design & Site Management
                Specializing in Small Businesses and vBulletin/Xenforo Forums

                Comment

                • Paul M
                  Former Lead Developer
                  vB.Com & vB.Org
                  • Sep 2004
                  • 9886

                  #23
                  Originally posted by djbaxter
                  Well I can tell you from personal experience that it most definitely IS applicable to 3.x and I believe it is also to 4.13.
                  The affected files do not exist in any vb 3.x version. Only the uploader.swf exists in vb 4.x. Charts.swf is not part of any vb version.
                  Baby, I was born this way

                  Comment

                  • djbaxter
                    Senior Member
                    • Aug 2006
                    • 1418
                    • 4.2.5

                    #24
                    I don't care whether those files do or do not exist in any 3.x version. I'm telling you that whatever caused this problem occurred in a 3.83 installation and was related to the vbulletin 3.x and Yahoo YUI files.

                    To be honest, what it ISN'T is of no real interest to me. Again, I'm reporting a problem and a resolution or workaround. I'm not a vBulletin coder and I'll leave it up to those who work for vBulletin to sort it out. In the meantime, for others who may have been affected or who may be affected, this solution worked for us. And, until vBulletin can come with something better, if I were running a forum, 3.x or 4.x, that had not had this workaround applied, I'd be worried.
                    Psychlinks Web Services Affordable Web Design & Site Management
                    Specializing in Small Businesses and vBulletin/Xenforo Forums

                    Comment

                    • Paul M
                      Former Lead Developer
                      vB.Com & vB.Org
                      • Sep 2004
                      • 9886

                      #25
                      Originally posted by djbaxter
                      I don't care whether those files do or do not exist in any 3.x version.
                      Whether you care or not, you cannot exploit a file that simply does not exist.
                      Baby, I was born this way

                      Comment

                      • djbaxter
                        Senior Member
                        • Aug 2006
                        • 1418
                        • 4.2.5

                        #26
                        Please re-read what I have posted. I don't know precisely WHAT file was exploited and I haven't claimed to know. I have reported in some detail what occurred, what I observed, what I tried as a remedy, and how that remedy worked.

                        You can now take that information and do whatever you wish with it. If you have an explanation, I'm all ears. I'm not really interested in what does NOT explain it.

                        The reality is that it's now up to vBulletin to determine why thos occurred. My forums are now safe, as far as I can tell. If that changes, I will be sure to update this thread.
                        Psychlinks Web Services Affordable Web Design & Site Management
                        Specializing in Small Businesses and vBulletin/Xenforo Forums

                        Comment

                        • Paul M
                          Former Lead Developer
                          vB.Com & vB.Org
                          • Sep 2004
                          • 9886

                          #27
                          Originally posted by djbaxter
                          Please re-read what I have posted.
                          I did. Im specifically referring to this part.

                          Well I can tell you from personal experience that it most definitely IS applicable to 3.x
                          The specific exploit is not apliicable to 3.x, the affected files simply dont exist in it.

                          I am pleased for you that overall you now seem be ok, hackers are a real PITA - and it could be a combination of steps you have taken, or maybe they simply moved on, who knows (apart from them) - but the fact remains that the YUI issue you are referring to involves files that simply dont exist in vb 3.x releases.
                          Baby, I was born this way

                          Comment

                          • IBxAnders
                            Senior Member
                            • Aug 2001
                            • 1172
                            • 4.0.x

                            #28
                            The issue reported by user is that VB3 and VB4 are using YUI 2.7.0 ; which is reported to be vulnerable to exploits.

                            The original alert he referenced was for an uploader file; and this was patched a while ago.

                            We are now exploring the update to YUI 2.9.0 to err on the side of security even though we have not confirmed the issue.
                            anders | vbulletin team | check out the new vbulletin facebook app
                            Proudly vBulletin'ing since 2001
                            Please be my friend!
                            http://www.twitter.com/inetskunkworks
                            vBulletin Performance Articles:
                            Click here to read

                            Comment

                            • SighK
                              Member
                              • Apr 2009
                              • 79
                              • 3.8.x

                              #29
                              I have amended the class_core.php file with your instructions and put 2.8.2 and saved the file, is there anything else I need to do for 3.8.6 to protect myself from this redirect exploit?

                              Comment

                              • djbaxter
                                Senior Member
                                • Aug 2006
                                • 1418
                                • 4.2.5

                                #30
                                Originally posted by SighK
                                I have amended the class_core.php file with your instructions and put 2.8.2 and saved the file, is there anything else I need to do for 3.8.6 to protect myself from this redirect exploit?
                                Yes. Load the YUI externally from Google.
                                Psychlinks Web Services Affordable Web Design & Site Management
                                Specializing in Small Businesses and vBulletin/Xenforo Forums

                                Comment

                                Related Topics

                                Collapse

                                Working...