A security flaw has been identified in the vBSEO code base that has necessitated the release of vBSEO 3.5.2. All customers should upgrade or patch immediately. Older versions (the 3.3.x series) have also been updated to include the patch for those customers not wishing to upgrade to a newer version or for customers whose licenses are expired. The RC builds are no longer available and you should upgrade to a stable version at once. Versions before vBSEO 3.3.0 have met end of life and are no longer supported but are affected by this exploit. If you are running an out of date version, you should upgrade as soon as possible to a supported, patched version.
3.5.2 also contains several new features and many bug fixes that have passed QA since the 3.5.1 PL1 release and several enhancements to the product.
- new Tag thread titles
- new Correctly Loading Div within vBSEO Cp (accounts for #anchor in cp links)
- new Improvement to vBSEO Cp language system
- new Automatic code insert for Relevant Replacements ( vb4 only, no more template edit necessary )
- new Re-opening of the vBSEO.com CRR generator ( http://www.vbseo.com/info/crr-maker-ajax.html )
- new Twitter has been added as a default Social bookmark
- new A new notice have been added that will remind you to chmod 644 your config.xml file
- fixed Showthread & Forumdisplay Go to page issue
- fixed Album rewrite disabled option
- fixed Linkback approve disapprove icon display
- fixed Who's online user location displays non-vbseo'd url
- fixed CMS section url cache
- fixed Duplicate URLs with "nocache" parameter
- fixed Lighttpd rewrite rules have been
- fixed SEO URL-Alias bracket bug
- fixed CMS Attachment thumbnail not displaying correctly
- fixed Member urls incorrect with Php 5.3.3
- fixed Uncached vbseo blog templates
- fixed Forum cache bug
- fixed CMS Category urls display issue
- fixed Blog tag rewrite
- fixed Attachments loading slow
- fixed vbSEO Copyright display options showing wrong option
- fixed config.xml has been rearranged to allow for more logical setting groupings
- fixed Furl has been removed from Social bookmarks
- fixed vBSEO breaking xhtml validation issue
- fixed Newly created forums redirected to Forumhome issue
- fixed Rewrite Nav bullet image option is changed to display vB3 versions only
- fixed Missing md5 sum file have been added
- fixed UTF8 support bug
- fixed Issue with Blog Social Bookmarks in vB4 version
- fixed Duplicate attachment url issue
- fixed Memcached bug
- fixed Threaded mode causing blank pages
- fixed A minor bug related to create article is corrected
- fixed Duplicate avatar url issue corrected
Details of the exploit:
A flaw within the parsing of external thread titles in BBCode tags has left a possible window open for an attacker to run php code real time against a page load, and possibly obtain information about your database or login details or insert malicious code into your database.
3.5.2 is available in the downloads area.
I've been hacked, what do I do?
Most reports we have seen so far have been the same cookie stuffing and redirect code inserted into the datastore. Upgrading the vBSEO plugin will refresh the datastore which will clear out any rogue entries that may be in the datastore. You can also try searching for "base64" and other variations. Some examples can be found here: Forum Code randomly injected into our vbulletin pages.
It may also be a good idea to limit new users from posting links. Without the ability to post a link and parse it as click able, anyone who tried may be able to be found out and banned by your moderating staff before they were able to do any harm. There is a vb3 version tutorial available here on how to make a new user group with no/limited permissions to do anything. It should be noted that this also effects the 'preview' post option, so it is possible that even without posting a link, an attacker could gain the above information.
What countries do you ban, totally
We have not converted this for vb4 yet. Perhaps a user can contribute notes on this if they are able to get it working.
Our staff is here to assist you if you require further help, such as using our vBSEO - Upgrade Service to upgrade to our latest release and our technical staff is standing by in the http://www.vbseo.com/support/ area should you need further help.
Get your 3.5.2 now from the downloads area!
the vBSEO Team