*vBSEO Security Bulletin* All Supported Versions: Patch Release

Originally Posted by Brian Cummiskey

The download package is NOT infected. It's more likely that there is something in your datastore DB table that is re-populating the bad data. try looking in your config.XML file and/or the vb datastore table.

Code:

 SELECT * 
FROM datastore
WHERE title LIKE  '%vbseo%'

should be able to get the info out.

Have you read the posts above? I guess we now know there the malicious code is from. http://www.vbseo.com/info/vbseo_checkver.php

?

Apparently they're so busy looking for the problem that they haven't been keeping up with this thread, and don't realize that the mystery has already been solved. :(

Originally Posted by Brian Cummiskey

The download package is NOT infected. It's more likely that there is something in your datastore DB table that is re-populating the bad data.

I assume you wrote that before the first message was posted with this URL?
http://www.vbseo.com/info/vbseo_checkver.js?ver=3.6.0

As others have already noted, check the bottom of that page. The download package is fine. What's wrong is that the vBSEO control panel, when we access it on our forums, enables this code injection to happen from code on your own servers.

http://www.vbseo.com/info/vbseo_checkver.js?ver=3.6.0 is now blank, so they're obviously working on the issue now

A whole page happened while I was writing that. Sorry.

The above has already been patched up on our site. That should show nothing now. We are looking in more detail into the cause of that issue.

The issue about vBSEO version Check was fixed before me or Brian posting. Just clear your browser cache please.

Originally Posted by Kolbi

Have you read the posts above? I guess we now know there the malicious code is from. http://www.vbseo.com/info/vbseo_checkver.php

?

They removed all content from the js file so nothing should be submitted to that php file anymore (hopefully). They should make an announcement and not try to stay silent about it, after all this was their fault and I spent hours trying to tell everyone that this vulnerability was still active, what did I get back? "clear your cookies, apply the patch, no you haven't applied the patch, change your passwords", god damnit, the patch was already applied on my forums since I first upgraded to 3.6.0 a very long time ago. What really surprises me is that the code snippet had been in their js file for months. My friend and I started looking into it, and when we were able to reproduce it by simply visiting vbseocp.php while being logged in as an administrator on the forum it became easier to track down. Nothing in the PHP files, the IP in webserver logs were our own (indicated that it was client-sided). Must say I was really surprised when find I found that in the javascript hosted on vbseo.com.

Originally Posted by Riverwire

Im sure people would rather the VBSEO guys spent their time to actually fix it rather than posting in the forums trying to reassure everyone. Let them get on with it and im sure everyone will be notified when they resolve the problem and let us know if there has been other damage done.

You say "im sure" twice and they'll "let us know", but you don't know that. The thing is, a lot of companies don't unless they get caught or called out.

As their customer, I am just requesting that they handle this professionally and they are not doing that.

If you read my post, you'd see one at least one user was being passed off to vBulletin.com when it's obviously a vBSEO issue and they've known about it for a year. Although, in their defense, they thought it had been fixed.

I don't want to clog up this thread, so feel free to disagree with me and we can talk in PMs or another thread if you want. I'll even edit my post and put a link to the thread if you'd like.

Originally Posted by Mert Gökçeimam

Without going further i can say that we as a team are extremely unhappy about the situation and trust us we are doing our best to identify the issue. It may not be an excuse but right now i have over 39 degrees body heat and i am working on this with the rest of the team to identify what happened. We will ask our CEO Juan Muriente to create an announcement and publish all details that we will identify.

I also will like to apologize everyone in behalf of our team.

Thank you for the update and apology. I hope you guys can get this worked out soon for everyone's sake.

Originally Posted by Talaturen

They removed all content from the js file so nothing should be submitted to that php file anymore (hopefully). What really surprises me is that the code snippet had been in their js file for months.

Talaturen,

Thanks for figuring out this mess.

Could you explain how this exploit was getting from the vbseo.com servers onto our sites?

Thanks!

Originally Posted by neowave

You say "im sure" twice and they'll "let us know", but you don't know that. The thing is, a lot of companies don't unless they get caught or called out.

As their customer, I am just requesting that they handle this professionally and they are not doing that.

If you read my post, you'd see one at least one user was being passed off to vBulletin.com when it's obviously a vBSEO issue and they've known about it for a year. Although, in their defense, they thought it had been fixed.

I don't want to clog up this thread, so feel free to disagree with me and we can talk in PMs or another thread if you want. I'll even edit my post and put a link to the thread if you'd like.

I agree with you and being a holder of 13 licences in a couple of different accounts i have put my fare share into VBSEO, However my point is that with everyone demanding responses its not going to get this solved any quicker.

Originally Posted by DelDrago

Talaturen,

Thanks for figuring out this mess.

Could you explain how this exploit was getting from the vbseo.com servers onto our sites?

Thanks!

The javascript on vbseo.com is embedded in vbseocp.php, so when you visit that page your web browser will load it, and at the end of that script was the malicious code. It made you submit a request to your own forum that added the plugin, and besides that it also sent your forum URL to http://www.vbseo.com/info/vbseo_checkver.php (which most likely forwarded your forum URL to the hackers, I can't know because that part is server-sided).

Just get it figured out guys, do what you need to do and then let us know what we need to do on this end, especially us newbies. At this point I don't have a clue as to what and how much is compromised, but want to make sure my data and website are protected. So when you get all the pieces of the puzzle put together, you may have to lead me (maybe others) step by step to make sure we are secure.

I'm lost.

Can someone give the cliffnotes on what was found.

vBSEO had a Javascript file that scanned all our sites for exploits and listed which ones were exploitable?

Then IT created the plugin or a hacker just used the list?

The version checker Js is what does the call back to our servers to generate your license key by domain and to make sure your install is valid at first run. I don't have any more details at the moment. Please be assured that we are doing all we can as fast as we can to get this whole thing sorted.