Mohamad
01-28-2012, 03:04 PM
Dear Customers and Friends,
An exploit has come to our attention that necessitates the release of a Patch for all currently supported versions, including
vBSEO 3.6.0
vBSEO 3.5.2
vBSEO 3.5.1 (including PL release)
vBSEO 3.5.0
Versions below 3.5.0 are no longer supported and have met end of life. If you are running 3.5.0 or lower, it is highly suggested that you upgrade to a newer build immediately.
All of the above install packages in the downloads area have been updated should you wish to re-install the entire product. Version numbers have not changed, and there will be no "PL" designation with this update.
Run Testing Utility (http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/index12.html#post325845) | Download Patched vBSEO Now
Otherwise, the simple fix is to edit the file
/vbseo/includes/functions_vbseocp_abstract.php
Find:
public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Replace with:
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Or, you can simply over-write the entire file from the new download up to your site.
Please take immediate action to protect your sites.
IMPORTANT
It has been reported that some sites have had random plugins show up in their plugin list in the vB adminCP. Please take the time to go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere. We are unsure of any implications or ramifications that may have resulted, as an infinite of code or text may have been injected. However, what we have seen appears to be a link-stealer for outbound traffic and doesn't necessarily expose any information or passwords of your site. It is always a good idea to update your ftp, server, vb admin, vbseocp, and even any htaccess passwords on your server as a precaution.
If you find any more information about the issue, please do bring it to our attention ASAP so it can be addressed. If you have any questions, please feel free to open up a ticket or thread and we will be glad to assist further.
From the FAQ's (http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/index12.html#post325845)---> I was hit, how do I fix it?
Go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere.
Testing Utility
To help in seeking suspect plugins, we have created a small utility that verifies the source code of all your plugins and datastore for known patterns of malicious plugins that have been reported:
[*=left]If your install is clean, the tool simply displays an "OK".
[*=left]If a suspect plugin is identified, a link to edit/disable it in admincp is displayed.
Installation Instructions:
[*=left]Download the attached file (vbseo_checkplugins.zip), unzip and upload it to the root of your forums directory.
[*=left]Visit www.yoursite.com/ (http://www.yoursite.com/)[forum-directory-name]/vbseo_checkplugins.php
[*=left]Review your results as described in the 'Testing Utility' section above.
NOTE: If you identify a rogue plugin not detected by the current testing utility, please report it via our ticket system or create a new thread in the troubleshooting forum titled "Undetected rogue plugin" so that we can update the utility ASAP.
Thanks for your cooperation.
vbseo_checkplugins3.zip (v3) (http://www.vbseo.com/attachments/f24/8913d1327705968-downloads-vbseo_checkplugins3.zip)
Thank you,
The vBSEO Team
An exploit has come to our attention that necessitates the release of a Patch for all currently supported versions, including
vBSEO 3.6.0
vBSEO 3.5.2
vBSEO 3.5.1 (including PL release)
vBSEO 3.5.0
Versions below 3.5.0 are no longer supported and have met end of life. If you are running 3.5.0 or lower, it is highly suggested that you upgrade to a newer build immediately.
All of the above install packages in the downloads area have been updated should you wish to re-install the entire product. Version numbers have not changed, and there will be no "PL" designation with this update.
Run Testing Utility (http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/index12.html#post325845) | Download Patched vBSEO Now
Otherwise, the simple fix is to edit the file
/vbseo/includes/functions_vbseocp_abstract.php
Find:
public static function proc_deutf($ptxt, $tocharset)
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', "$1")) ? $_s : "$1").stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Replace with:
{
$ptxt = preg_replace('#\'([^\']*)(\'\s*\=\>)#mie', '"\'".(($_s = iconv("UTF-8", \''.$tocharset.'\', \'$1\')) ? $_s : \'$1\').stripslashes(\'$2\')', $ptxt);
return $ptxt;
}
Or, you can simply over-write the entire file from the new download up to your site.
Please take immediate action to protect your sites.
IMPORTANT
It has been reported that some sites have had random plugins show up in their plugin list in the vB adminCP. Please take the time to go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere. We are unsure of any implications or ramifications that may have resulted, as an infinite of code or text may have been injected. However, what we have seen appears to be a link-stealer for outbound traffic and doesn't necessarily expose any information or passwords of your site. It is always a good idea to update your ftp, server, vb admin, vbseocp, and even any htaccess passwords on your server as a precaution.
If you find any more information about the issue, please do bring it to our attention ASAP so it can be addressed. If you have any questions, please feel free to open up a ticket or thread and we will be glad to assist further.
From the FAQ's (http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/index12.html#post325845)---> I was hit, how do I fix it?
Go through your plugin list. If you do see anything that doesn't look familiar, it may be wise to disable that plugin while troubleshooting further. Most reports have been tied to the global_complete hook under the core 'vBulletin' product, but may also be elsewhere.
Testing Utility
To help in seeking suspect plugins, we have created a small utility that verifies the source code of all your plugins and datastore for known patterns of malicious plugins that have been reported:
[*=left]If your install is clean, the tool simply displays an "OK".
[*=left]If a suspect plugin is identified, a link to edit/disable it in admincp is displayed.
Installation Instructions:
[*=left]Download the attached file (vbseo_checkplugins.zip), unzip and upload it to the root of your forums directory.
[*=left]Visit www.yoursite.com/ (http://www.yoursite.com/)[forum-directory-name]/vbseo_checkplugins.php
[*=left]Review your results as described in the 'Testing Utility' section above.
NOTE: If you identify a rogue plugin not detected by the current testing utility, please report it via our ticket system or create a new thread in the troubleshooting forum titled "Undetected rogue plugin" so that we can update the utility ASAP.
Thanks for your cooperation.
vbseo_checkplugins3.zip (v3) (http://www.vbseo.com/attachments/f24/8913d1327705968-downloads-vbseo_checkplugins3.zip)
Thank you,
The vBSEO Team