A security flaw has been identified in the 3.5.x codebase that has necessitated the release of vBSEO 3.5.1 PL1. All customers running the 3.5.x series should upgrade immediately. The 3.5.1 and 3.5.0 downloads have also been updated to include the patch for those customers not wishing to upgrade to a newer version or for customers who's license are expired. The RC builds are no longer available and you should upgrade to a stable version at once.

3.5.1 PL1 also contains a few minor bug fixes since the 3.5.1 release that have passed QA. There are no new features, just fixes to bugs reported. A full list is not available at this time as our focus of this release is on security. A complete update list will be included with 3.5.2 when it is released.

This issue does not effect vBSEO 3.3.x and lower versions.

Details of the exploit:
A writable config.xml file (chmod 0666) can be compromised. We always suggest customers to lock down their files with 0644 permissions after they are done changing settings. Even still, mis-configured webservers still sometimes allow the webserver to write to a 644 file due to chown permissions of apache.
If you can edit your vBSEO settings with your config.xml file chmod'ed to 644, you should contact your host for server security support. This should NOT work. vBSEO should throw an error back saying your config file is not writable.

If you have ssh access, you can try chowing the config file to a different user. Oleg explins this a bit more in this thread: config.xml settings changed randomly - security issue?

There is an active discussion on this topic in that same thread: config.xml settings changed randomly - security issue?


Note, that we are not your server admins and we can only offer advice on securing your server - we cannot do it for you.

3.5.1 PL1 is available in the downloads section.
http://www.vbseo.com/downloads/


I've been hacked, what do I do?
Most users are reporting a change in url settings, and losing traffic to a JS redirect script.

If you think you may have been compromised, The best thing to do is:
- install 3.5.1 PL1
- load a backup vbseo_all.xml into your cp and save your key and password.
If you do not have a backup, You should try to set your urls to how they were before as best as you can remember. Do a site: command in google to find your indexed links for pointers. And when you are done, make a back up this time so you have it in the future.


Our staff is here to assist you if you require further help, such as using our vBSEO - Upgrade Service to upgrade to our latest release and our technical staff is standing by in the http://www.vbseo.com/support/ area should you need further help.

Get your 3.5.1. PL1 now from the downloads area!
http://www.vbseo.com/downloads/


Please discuss this issue here: config.xml settings changed randomly - security issue? - vBulletin SEO Forums

Thanks,
the vBSEO Team