vBSEO Security Bulletin - vBSEO 3.3.2 Released

I installeled the patch for 3.3.1 version but in the admin cp there is no indicator telling me that the patch was installed....

[Patent Pending] vBSEO 3.3.1 - Admin Control Panel

Is that correct?

I run two forums on one server. One has vbSEO 3.2.0, the other 3.1.0. I'm not currently able to fully upgrade either.

I've patched the 3.2.0 version after receiving your email, and see that you don't intend to offer a patch (for this critical security vulnerability) for 3.1.0 because it hit end of life.

Are both sites going to be vulnerable because I'm unable to patch or upgrade the 3.1.0 site, or just that one? Is this a server vulnerability or a software/forum vulnerability?

Originally Posted by wld

I installeled the patch for 3.3.1 version but in the admin cp there is no indicator telling me that the patch was installed....

Is that correct?

Correct. Installing the patch does not change your version number (we do not use PLx or any other indication like vB does)

Originally Posted by wcbryant

I run two forums on one server. One has vbSEO 3.2.0, the other 3.1.0. I'm not currently able to fully upgrade either.

I've patched the 3.2.0 version after receiving your email, and see that you don't intend to offer a patch (for this critical security vulnerability) for 3.1.0 because it hit end of life.

Are both sites going to be vulnerable because I'm unable to patch or upgrade the 3.1.0 site, or just that one? Is this a server vulnerability or a software/forum vulnerability?

We aren't going to publish any details about the issue for security reasons. The less people know about it, the safer everyone who hasn't patched yet is.

That said, yes, you should upgrade the 3.1 version immediately.

Originally Posted by Brian Cummiskey

We aren't going to publish any details about the issue for security reasons. The less people know about it, the safer everyone who hasn't patched yet is.

That said, yes, you should upgrade the 3.1 version immediately.

Love the bold face, but it doesn't change the fact that I am unable to upgrade the 3.1 version and your affirmative is out of place as I already indicated that upgrade wasn't currently an option. Moreover, it's pretty difficult to make an informed decision about what to do without even basic information (is my server at risk, or just the one site) -- but I understand why you're not disclosing.

Is the answer then to disable vbSEO for that site, and would that be as simple as disabling the product and deleting the .htaccess, or is there more to do?

Hello Will ,

You can check Uninstallation instructions from How to uninstall vBSEO - vBulletin SEO Forums However i will not advise uninstalling vBSEO from an established site.

Originally Posted by Mert Gökçeimam

Hello Will ,

You can check Uninstallation instructions from How to uninstall vBSEO - vBulletin SEO Forums However i will not advise uninstalling vBSEO from an established site.

What, then, do you recommend? There is no patch for 3.1.0. I am currently unable to upgrade the 3.1.0 site to 3.2.x or 3.3.x. While I have patched the larger of my two sites (which runs 3.2.0), it's not clear whether or not that site remains vulnerable because of this one.

If I'm not going to be able to upgrade the 3.1.0 site (and I'm not any time soon), then do I have any option besides uninstalling vbSEO from it?

Thank you for the link. I won't start uninstalling from that site until I've heard back from you in regards to what, if there are any, my options might be. Rather than a full uninstall, is it not sufficient to simply disable the product until a future date when I might be able to upgrade?

Will, you have PM.

Correct. Installing the patch does not change your version number (we do not use PLx or any other indication like vB does)

OK, thanks Brian for clarifying it.

Originally Posted by wcbryant

What, then, do you recommend? There is no patch for 3.1.0. I am currently unable to upgrade the 3.1.0 site to 3.2.x or 3.3.x. While I have patched the larger of my two sites (which runs 3.2.0), it's not clear whether or not that site remains vulnerable because of this one.

I'm running v3.1.0 also, my vBSEO is heavily customized with all sorts of custom code added and in fact all of my vBSEO files even have custom file names.

Would i be at immediate risk with all my vBSEO files renamed?

If they can find the file(s), then yes, you're still at risk.

Originally Posted by spj8082

for some reason IE8 has issue with vb when it comes to downloading files or attachments.I was trying to find the site that was talking about it with MS..This is an issue that MS wont fix, plus it effects all forum software too from what i was told.I tell my members to use firefox..i think safari and opera works fine too.

I've never had trouble with IE8 and any vB software. IE8 is my preferred browser. I use FF only for checking and validating my code work and for logging into my client's accounts on websites I also have an account on. In this particular case, it was the FF browser that had the problem I reported. I downloaded and unpacked the same software with IE8 and WinRAR from my own account without any issue. However, when I tried to download and unpack my client's software using IE8, I had the same problem I had with FF.

Originally Posted by webwizzy

Try using the default Windows unzipping feature, instead of Winrar.

Same problem - see above.

This is an isolated problem. I have downloaded lots of vB related software with IE8 and Firefox 3.0.14 without any problems. I have been using WinRAR for several years without issue. I have several file browsers/managers, from Windows Explorer, to Directory Opus 9 to a couple of FTP clients and an image editing and management program. All of them have been used before with no problems.

Earlier today I managed to download with IE8 and unpack the package without problem. This was after I had a problem downloading the package for a client using FF. Now I can't get the package because it appears to be corrupted somehow. I realize the package has not been a problem for others - including me earlier today. But it has been a problem throughout the day and continues to be a problem now.

Jim

Originally Posted by Brian Cummiskey

If they can find the file(s), then yes, you're still at risk.

So if they "can" find the files i'm at risk, and if they "cannot" i'm ok.

Alrighty then, i guess i will have a look around the vulnerability disclosure sites and find out what file so i know how findable and how at risk i am.

Thanks.

Vulnerability information is not disclosed at all on any third party sites.

Originally Posted by Mert Gökçeimam

Vulnerability information is not disclosed at all on any third party sites.

Thanks, yes i found that one out after some Google timeline searches. However that's a good thing, so if this vulnerability was discovered by a third party (outside vBSEO staff) then thank you to that person for doing the right thing.

Help!!! I applied the patch and now my threads don't show up at all, just blank white pages!!