Security Bulletin - vBSEO 3.5.2 Released

A security flaw has been identified in the vBSEO code base that has necessitated the release of vBSEO 3.5.2. All customers should upgrade or patch immediately. Older versions (the 3.3.x series) have also been updated to include the patch for those customers not wishing to upgrade to a newer version or for customers whose licenses are expired. The RC builds are no longer available and you should upgrade to a stable version at once. Versions before vBSEO 3.3.0 have met end of life and are no longer supported but are affected by this exploit. If you are running an out of date version, you should upgrade as soon as possible to a supported, patched version.

3.5.2 also contains several new features and many bug fixes that have passed QA since the 3.5.1 PL1 release and several enhancements to the product.

• new Tag thread titles
• new Correctly Loading Div within vBSEO Cp (accounts for #anchor in cp links)
• new Improvement to vBSEO Cp language system
• new Automatic code insert for Relevant Replacements ( vb4 only, no more template edit necessary )
• new Re-opening of the vBSEO.com CRR generator ( http://www.vbseo.com/info/crr-maker-ajax.html )
• new Twitter has been added as a default Social bookmark
• new A new notice have been added that will remind you to chmod 644 your config.xml file
• fixed Showthread & Forumdisplay Go to page issue
• fixed Album rewrite disabled option
• fixed Linkback approve disapprove icon display
• fixed Who's online user location displays non-vbseo'd url
• fixed CMS section url cache
• fixed Duplicate URLs with "nocache" parameter
• fixed Lighttpd rewrite rules have been
• fixed SEO URL-Alias bracket bug
• fixed CMS Attachment thumbnail not displaying correctly
• fixed Member urls incorrect with Php 5.3.3
• fixed Uncached vbseo blog templates
• fixed Forum cache bug
• fixed CMS Category urls display issue
• fixed Blog tag rewrite
• fixed Attachments loading slow
• fixed vbSEO Copyright display options showing wrong option
• fixed config.xml has been rearranged to allow for more logical setting groupings
• fixed Furl has been removed from Social bookmarks
• fixed vBSEO breaking xhtml validation issue
• fixed Newly created forums redirected to Forumhome issue
• fixed Rewrite Nav bullet image option is changed to display vB3 versions only
• fixed Missing md5 sum file have been added
• fixed UTF8 support bug
• fixed Issue with Blog Social Bookmarks in vB4 version
• fixed Duplicate attachment url issue
• fixed Memcached bug
• fixed Threaded mode causing blank pages
• fixed A minor bug related to create article is corrected
• fixed Duplicate avatar url issue corrected

Details of the exploit:
A flaw within the parsing of external thread titles in BBCode tags has left a possible window open for an attacker to run php code real time against a page load, and possibly obtain information about your database or login details or insert malicious code into your database.

3.5.2 is available in the downloads area.
http://www.vbseo.com/downloads/


I've been hacked, what do I do?
Most reports we have seen so far have been the same cookie stuffing and redirect code inserted into the datastore. Upgrading the vBSEO plugin will refresh the datastore which will clear out any rogue entries that may be in the datastore. You can also try searching for "base64" and other variations. Some examples can be found here: Forum Code randomly injected into our vbulletin pages.

It may also be a good idea to limit new users from posting links. Without the ability to post a link and parse it as click able, anyone who tried may be able to be found out and banned by your moderating staff before they were able to do any harm. There is a vb3 version tutorial available here on how to make a new user group with no/limited permissions to do anything. It should be noted that this also effects the 'preview' post option, so it is possible that even without posting a link, an attacker could gain the above information.
What countries do you ban, totally
We have not converted this for vb4 yet. Perhaps a user can contribute notes on this if they are able to get it working.

Our staff is here to assist you if you require further help, such as using our vBSEO - Upgrade Service to upgrade to our latest release and our technical staff is standing by in the http://www.vbseo.com/support/ area should you need further help.

Get your 3.5.2 now from the downloads area!
http://www.vbseo.com/downloads/


Thanks,
the vBSEO Team

I'm running 3.3.2 and want to keep doing so.

Is there any particular file we should re-upload or just replace the whole thing? Also I don't suppose we have to readd no product file via the plugin system right?

Originally Posted by neo

I'm running 3.3.2 and want to keep doing so.

Is there any particular file we should re-upload or just replace the whole thing? Also I don't suppose we have to readd no product file via plugin system right?

If you wish to upgrade, you must upload all files.

The 3.x line < 3.3.x is officially End of Life, but we have provided patched releases in the Downloads section as a courtesy to those people who don't wish to upgrade to 3.5.x.

*edit* My bad. Reimporting the product file is not required but is advisable.

Originally Posted by neo

I'm running 3.3.2 and want to keep doing so.

Is there any particular file we should re-upload or just replace the whole thing? Also I don't suppose we have to readd no product file via the plugin system right?

You should overwrite all the files, and no you don't need to re-import the product file. However re-importing the product file will remove any suspect code if you were hit with the exploit prior to now and didn't realise so it is advisable.

thanks

can i just overwirite the files from vBSEO 3.5.1 PL1 or i need a normal upgrade ?

PS i see a "new reply detected" is that a public mod?

Since there is effectively zero upgrade processs (you effectively uninstall the old, and install the new) can 3.5.1 users just replace everything except the config.xml and the url xmls with the PL1 versions?

Originally Posted by luismanson

can i just overwirite the files from vBSEO 3.5.1 PL1 or i need a normal upgrade ?

PS i see a "new reply detected" is that a public mod?

I'm recommended to perform it as a normal upgrade to re-import the xml product again so that will refresh the datastore.

About your PS, Sorry that's not a public mod.

Also, how will we know if we were exploited prior to this? Is there any way of telling?

I gather it is fine to reimport your saved settings xml yeah?

Nevermind, answers above.

Yes, It's fine to re-import the saved settings, But now you don't need to re-import it since vBSEO store the settings in datastore and re-import it automatically in all of your upgrades so you don't need to do that.

Upgrade went smoothly. Thanks!

last question i never do...in this or any upgrade we downloade the two XML files... but when we uninstall the product from vb admincp... should i choose to keep data or no ?

Possible bug: Config file has been set to non writable (tried 444 and 644) and I still get the "your config file is writable..." message :/

After clicking the 'x' it has gone. Is this supposed to happen?

You don't need to un-install the xml product, You just need to re-import and overwrite it.