vBSEO Security Bulletin - vBSEO 3.3.2 Released

Here's a quick stupid question Sorry.

I applied this new patch (11/17/09) and as the email said the version number wouldn't change.

So, how do I really know if I did it right?

Thanks.

Hi Robert,

Check the datestamp on the files. If they are newer than 11/16/09, then you did it right.

Hello everyone!

When i upload the new files to my forum (( Vbseo.php and functions_vbseo_url.php )) i got a problem with my forum .

The error is : Fatal error: Call to undefined function vbseo_requested_url() in /home/zain22/public_html/vbseo.php on line 18

Any help for this?

Did you upload the correct patch version for your board?

try re-ftp'ing them with over-write and in ascii mode (not binary)

Yes Mr: Brian i uploaded the correct file for the same version .

MR: Brian thanks alot for everything, now my site is O.K

Great Glad it was an easy fix.

I think we should help people determine if they have been exploited by this vulnerability, since the attacker can plant a file and then come back later to do damage to a forum.

The following does not reveal anything that breaches security.

First of all, search your web access log and look for vbseo.php in your log files. If this file has been called by any IP address (and returned a 200, success code) that is not "yours" then you need to look deeper.

The vBSEO team might think we should not reveal this. But I think it is in the best interest of the entire user community to reveal a very small detail to the users so they can search to see if they may have been "hit" by this hack.

Simply search your logs and look for any "strangeness" with any vbseo.php entry.

sifting through logs with vbseo.php in it will take forever.

the better thing to do is to run:
grep -r 'vbseoembed' /path/to/access_log
(sorry, i don't know the windows command off hand)

if you have any hits with this call method, check that they are legit. Mainly you are looking for this call along with a customprofilepic call. Most users should not have anything used like this. If you used a photopost or another 3rd party extension, you may find this, and that is ok.

Originally Posted by Brian Cummiskey

sifting through logs with vbseo.php in it will take forever.

Hi Brian,

I don't think so. Our server gets over 4 Million PVs per month, and we rarely see any references to vbseo.php in the log files.

In fact, the only references we see are exploit attempts; and OBTW the (or at least one) exploit string to look for is:

Code:

"vbseo.php?vbseourl="

.... if you want more details posted.

Like I said, we rarely any references to vbseo.php in our logfiles, because this file is not called directory from a user, generally speaking. For example, just in the past few hours our log size (kinda small, weekend traffic and only a few hours):

Code:

84732336 2009-11-21 21:45 access.log

There are zero references to vbseo.php EXCEPT related to an attacker trying to exploit the "before fixed" vulnerability in vbseo.php ....

I can post the exact exploit strings and technique if you like..... if I post one, you can see exactly how to test a server to see if it is vulnerable. Earlier I tried to obfuscate the vulnerability and call it "something else" in the interest of secrecy.

Now I think it is better to give users something they can actually test. I have the exact sequence needed to exploit this vulnerability, FYI.

Hi all,

Do I need to upgrade to protect myself if I run the follwing versions of software?

Powered by vBulletin® Version 3.8.4
Content Relevant URLs by vBSEO 3.2.0

Thanks,

David

Hello Ben ,

You should either apply the patch or upgrade to latest version. If i were you i would upgrade to latest version as vBSEO 3.2.0 is not fully supporting vBulletin 3.8 features like Social Group discussions.

Originally Posted by Aceville

Hi all,

Do I need to upgrade to protect myself if I run the follwing versions of software?

Powered by vBulletin® Version 3.8.4
Content Relevant URLs by vBSEO 3.2.0

Thanks,

David

Hi David,

Yes anyone running versions prior to 3.3.2 needs to either Patch or upgrade ASAP to make sure you are protected.

Ceri

Does anyone know if its safe to install the 3.3.0 patch on a forum running 3.3.0 RC3?

Originally Posted by eksodos

Does anyone know if its safe to install the 3.3.0 patch on a forum running 3.3.0 RC3?

I would not recommend it as the patches are created from final releases and has not been tested against RC versions so could cause some adverse effects.

Saying that however I would definitely not recommend leaving yourself un-patched as there is a greater risk to your site if unprotected.

If anything I would recommend you upgrade ASAP.

Ceri