config.xml settings changed randomly - security issue?

Originally Posted by Ceri May

The only way that last nights exploit works is if Apache has rights to edit the file. If the file was chmod 644 as you say then it means you must be running Apache on the same username as your ftp or ssh user and this is a massive server misconfiguration and security issue.

Last nights exploit ONLY allows modification of vbseo's setting file and can not do anything more than change the settings so there is no way it is related to the other issue...

Im using litespeed and still got my settings reset.

This just happened this very second to me. For some odd reason, the urls were fine UNTIL I RECEIVED THE VBSEO EMAIL. That was when every rewrite I put on my site was gone.

Luckily, I had taken a backup yesterday, from when the url's worked perfectly fine.

I have no idea what caused this as there are no signs of a hacking. config.xml was and has been chmod 644 for the last 4 months, so why specifically today, the day the patch is released?

UPDATE:
I luckily took a backup of the whole site yesterday and extracted and uploaded my proper config.xml file

Originally Posted by Sajuuk

I have no idea what caused this as there are no signs of a hacking. config.xml was and has been chmod 644 for the last 4 months, so why specifically today, the day the patch is released?

I'm also confused why no-644 is being blamed. I'm sure for some people it was, but I've been dealing with this for 10 or so hours and there have been many others on this forum who also claim to have had theirs at 644. Ceri mentioned earlier it might have something to do with apache and cpanel usernames being the same, but I am waiting for clarification on that.

Anyway try accessing your threads through Google (search for something where one comes up) and make sure yours isn't re-directing to a URL forwarderer. I got hit with this exploit at the exact same time. Here's an old thread about it: Security issue

I didn't bother trying to access my threads, as I uploaded a backed up version of my config.xml file . I urge others to get out a backup of their site, extract config.xml from it, then apply the 3.5.1 Patch (making sure to backup your vbseo settings and url's). Then upload your copy of config.xml, and upload vbseo_all.xml and vbseo_urls.xml

i still don't understand how this happened to begin with as i had the file chmod 644 the entire time

now its chmod 644 and i made it owned by root:root instead

can't have this stuff happening, i would rather pay 4x more per year for the product and have dedicated specialists analyzing code for purely security issues. security is all that matters, would rather have it be free of flaws and the product be 50% less effective at improving SEO, than havings flaws, and being 150% more effective

Originally Posted by m0rgulvale

i made it owned by root:root instead

Can you explain how to do this exactly?

can't have this stuff happening, i would rather pay 4x more per year for the product and have dedicated specialists analyzing code for purely security issues. security is all that matters, would rather have it be free of flaws and the product be 50% less effective at improving SEO, than havings flaws, and being 150% more effective

Same here. That's why I switched to a dedicated server. Maybe vBSEO should also start selling forum hosting with constant security to prevent these things? I would buy it.

dedicated server, vps, shared host, doesn't matter if there are vulnerabilities in teh code. the root cause of the problem is the code doesnt matter what server u have

agreed i work in the information security field (network security, application security, and sell security software on http://deeptide.com) so i am very paranoid about security, nothing else matters

also would rather never once have new features added but only focus on security

i ran: chown root:root config.xml (from within the directory this file is in)

should also already be: chmod 644 config.xml

re: 0644 permissions

With config file being chmod 0644, it can be still writable in case if Apache processes are running on the server with the same user account that was used to upload files, i.e. when apache is running, it is the "owner" of the file, so it still has full access to it, even with 0644 permissions. In normal server setup, apache is running with it's own user account, like "apache" or "nobody".

An easy way to check this is to make sure that config file is set to 0644, then login to your vBSEO CP, and try to change any setting. It should *not* be saved normally, i.e. until you set permissions to 0666, no changes can be made, even if you are logged in.

Here the same issue today. Glad there is an explaination for it.

Originally Posted by MTD

Can you explain how to do this exactly?

Same here. That's why I switched to a dedicated server. Maybe vBSEO should also start selling forum hosting with constant security to prevent these things? I would buy it.

in root chown the file.

@ oleg yeah when its root:root it doesn't even let the file be saved

site is /home/cooluser/public_html

apache running as cooluser

all files under /home/cooluser/public_html are chown cooluser:cooluser except the config.xml which is root:root

should anything be changed w/ this setup? need file attachment uploads for avatar, attachments, etc, to still work

ours got change also.

[root@forum httpd]# cat access_log | grep vbseo | grep php
[02/Aug/2010:04:56:59 -0500] 194.154.227.109:40141 - - "forum.xxx.com" "POST /vbseocp.php HTTP/1.1" 200 6651 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1" "-"
[02/Aug/2010:04:58:54 -0500] 194.154.227.109:45718 - - "forum.xxxx" "POST /vbseocp.php HTTP/1.1" 200 6651 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1" "-"

from someone from
address: T-Mobile Slovensko, a.s.
address: Vajnorska 100/A
address: Bratislava
address: 831 03
address: Slovak Republic

============================

What should I be looking for in the xml file to see what was changed?

I have also something like that in the access log:

anonymizer.blutmagie.de - - [02/Aug/2010:00:14:07 +0200] "POST /vbseocp.php HTTP/1.1" 200 6829 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

and

anonymizer.blutmagie.de - - [02/Aug/2010:00:14:34 +0200] "POST /vbseocp.php HTTP/1.1" 200 6829 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

I also have this issue. I've made sure the file was set at 644, which it was. I've redownloaded the config.xml and have replaced the one on the server. I've also added the line in the vbseocp.php.

What else do I need to do / check to prevent this?

And how do I check if other forums of mine have been affected? They're all on the same server so I'm a bit worried.

Originally Posted by Sajuuk

I didn't bother trying to access my threads, as I uploaded a backed up version of my config.xml file . I urge others to get out a backup of their site, extract config.xml from it, then apply the 3.5.1 Patch (making sure to backup your vbseo settings and url's). Then upload your copy of config.xml, and upload vbseo_all.xml and vbseo_urls.xml

Do I need to do all these files and not just the config.xml then?