Security Bulletin - vBSEO 3.6.0 PL2 Released

Hello dear Customers and Friends,

An exploit has come to our attention that necessitates the release of a Patch for all currently supported versions, including:

• vBSEO 3.6.0
• vBSEO 3.5.2
• vBSEO 3.5.1
• vBSEO 3.5.0

Versions below 3.5.0 are no longer supported and have met end of life, however they have been patched as well:

• vBSEO 3.3.2
• vBSEO 3.3.1
• vBSEO 3.3.0

All of the above install packages in the downloads area have been updated should you wish to re-install the entire product. A PL tag has been added to all of the vBSEO packages available on our downloads area.

It is recommended to apply the patch by downloading a fresh copy of vBSEO from your Downloads area, however if you don't feel comfortable doing so, the fix can be applied manually:

For vBSEO 3.5.x and newer versions:

In your "vbseo/includes/functions_vbseo_vb.php" file, please find (first instance):

PHP Code:

vbseo_int_var($ids); 


Add below:

PHP Code:

vbseo_int_var($aids); 


For vBSEO 3.3.x and earlier versions:

In your "includes/functions_vbseo_vb.php" file, please find (first instance):

PHP Code:

$rid = $db->vbseodb_query($q = "
SELECT
forumid,announcementid,title 


Add above:

PHP Code:

$aids=intval($aids); 


Please note that this security issue has no relevance with the redirect issue that many users have been reporting through vBulletin.com and vBSEO.com.

We encourage all users to apply the patch as soon as possible.

If you have any questions, please don't hesitate to let us know. The vBSEO Support Team will be ready to assist via ticket or this thread.


Thank you,
The vBSEO Team.

There are two 'vbseo_int_var($ids);'. Does it go under both?

Originally Posted by woostar

There are two 'vbseo_int_var($ids);'. Does it go under both?

Yeah, what he said?

Mert - vbseo_int_var($ids);is in vbseo/includes/functions_vbseo_vb.php twice. I assume you just add vbseo_int_var($aids); after just the first instance?

Bill

I see after I posted that others are also noticing this, so sorry for the same post.

There are two lines:

vbseo_int_var($ids);

in my vbseo/includes/functions_vbseo_vb.php (3.6.0)

I guess we should add vbseo_int_var($aids); only after the first occurence, right?

That was quick Few others posted while I was editing my post. Sorry for adding noise...

From what I see in 3.6.0, the code appears twice. Once on line 1076 and again on 1130. Do they both need to be changed as listed above? And, if one modifies the file, do we need to download and reinstall too"?

Sorry for the duplicate too.

I added after both.

Just downloaded the new file and it appears only once.
right after line # 1076

i had added it after both, so i will wait for the official answer

Thanks spk100

Any news on what to do here as your main download site (https://www.vbseo.com/downloads/) is down :(

Rather than waiting for an answer, I simply downloaded the package and replaced the file:
vbseo/includes/functions_vbseo_vb.php

Haven't downloaded anything from the downloads area. But have updated the details as shown here. Hope this will take care of the issue?

Add it only after the first occurance. I downloaded vbseo again, took a look at the functions in the fresh ver, and it only occured after the first vbseo_int_var($ids);

Thanks. Replaced the old file with the new downloaded file.

I downloaded the new version. In the included file in PL2, they have only updated the FIRST INSTANCE. The second instance did not have the edit below it. Hope this helps.

** teach me to refresh to see if anyone else posted before responding.



I'll be doing a full update anyways, because somehow I missed PL1 too.