*vBSEO Security Bulletin* All Supported Versions: Patch Release

I think lessons have been learned and systems will be put into place.
vBSEO is a great product... the only one out there.
Becasue it is so popular... its is subjects to hacks for the hackers to gain a trophy and recognition in their sick little world.

I look forward to an update on knowing what could have been compromised... and vBSEO still has my vote of confidence.

Thanks!

Originally Posted by Noodles

Also, I think vbSEO need to revise their policy about creating new version numbers. We've been on 3.6.0 for a while now and there has been a few times where security patches have been released and the version number has not been incremented. Anyone looking at just the version number wouldn't know that there had been any changes. Minor version numbers MUST be updated with any changes.

I agree.

I don't understand how is possible to release patches and new files mantaining the same product version number 3.6.0.

Originally Posted by Noodles

Just out of interest, I reported this security hole on the 15th Mar 2011 (or at least the errors resulting from an attack on this security hole). I thought it had been fixed in 3.6.0, as there wasn't any more attacks after we upgraded. Did vbseo roll back some code or something?

Also, I think vbSEO need to revise their policy about creating new version numbers. We've been on 3.6.0 for a while now and there has been a few times where security patches have been released and the version number has not been incremented. Anyone looking at just the version number wouldn't know that there had been any changes. Minor version numbers MUST be updated with any changes.

Just to correct one thing , the issue you reported was the issue reported by Andy R prior to 3.6.0 Gold release. You were running vBSEO 3.5.2 then and even yourself mentioned that it was changed on 3.6.0 in your ticket . After vBSEO 3.6.0 Gold we had no security issues reported.

We always released security versions as PL1 , PL2 etc.. or with a new version number.

Please try not to make false assumptions so we can focus on the exact side of the issue instead of correcting mis understandings .

Originally Posted by Mert Gökçeimam

Just to correct one thing , the issue you reported was the issue reported by Andy R prior to 3.6.0 Gold release. After vBSEO 3.6.0 Gold we had no security issues reported.

We always released security versions as PL1 , PL2 etc.. or with a new version number.

Sorry Mert, but today I downloaded a new 3.6.0 Gold package (with

functions_vbseocp_abstract.php file updated).

The version number is the same of the previous package I downloaded on April 2011.... or not? :|

Originally Posted by rughis

Sorry Mert, but today I downloaded a new 3.6.0 Gold package (with

functions_vbseocp_abstract.php file updated).

The version number is the same of the previous package I downloaded on April 2011.... or not? :|

index10.html

Ok, maybe I am confused but I just down loaded VBSEO 3.6.0 and there is no notation of PLx noting this is a patched file. Nor does the file itself have anything noting PLx. I can only see the file was last updated on 1/23/12 when I visit the down load page.

Also I just "patched" my site with this most recent update and the VBSEO control panel is reporting 3.6.0 with no PLx.

I am guessing by Noodles post that there have been a few fixes/releases/patches since I first updated to 3.6.0 and saw the file sizes of this down load are different then those that I have running on my site.

I have not received any notice to any patches/updates other then the one I received today.

Anyways not trying to stir the pot but rather trying to understand and make sure I am always up to date with the most current release and can easily identify that I am.

Thanx for the entire VBSEO staffs hard work

with a lot of money involved in vbseo i'm sure everything will be resolved shortly.

Thank you for advice

Originally Posted by 1QuickSI

Ok, maybe I am confused but I just down loaded VBSEO 3.6.0 and there is no notation of PLx noting this is a patched file. Nor does the file itself have anything noting PLx. I can only see the file was last updated on 1/23/12 when I visit the down load page.

In first post they said they wouldn't call this PL or whatever.

Anyway, I'm waiting to see what they discovered how this happened and what we need to do to ensure security of our sites.

Shocked that this was not properly included nearly a year ago .

I know mistakes can be made by anyone or any company for that matter however this is down right shotty imo and perhaps this will FINALLY make you explain to your support staff that they need to quit telling every client of yours that "It's a vBulletin Issue" or "It's a Server issue" or worse which is all I see time and time again from clients of mine and Hosts I work for when I repeatedly recommend for them to purchase vBSEO. If you would stop, listen, and then think to check more so then you currently do it would never have been a issue and can certainly be avoided.

I truly hope you stop slapping others in the face with nothing but excuses, over, and over, and over, and over again it's a non-stop circle jerk in here if you ask me.

Special Thanks to Jafo who brought this to everyone's attention again.

That's right Mert, I didn't get any problems after that, so 3.6.0 seemed to have fixed the problem. However this security patch today still refers to 3.6.0. I wasn't complaining, just stating that I thought it was fixed already.

I've seen PL1, PL2 used a couple of times, but more often I've seen the same package released with security fixes without PLx tags. Even today the 3.6.0, 3.5.2 etc don't have PL1 tags.

The ironic thing is that the entire function of the callback was to verify authentic users, but instead it spread an infection to all of the PAYING users.

Man, that was a lot of work to make sure nothing was compromised.
I also did find a file (plugin) questionable.
I went ahead and deleted that.
Then I went ahead and changed my WHM/cPanel pws (They don't have the same login on the website anywhere)
Went ahead and changed FTP/MySQL/Admin Passwords/vBSEO Password/SSH pw/
I think I am in the clear.
This was one scary thing to go through.
Hopefully we don't have to go through such thing in the future.

Fixed , thanks for sending an e-mail.