• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Serious Vulnerability in VBSEO

January 8, 2015Daniel Cid

FacebookTwitterSubscribe

The vBulletin team sent an email yesterday to all their clients about a potential security vulnerability in VBSEO. VBSEO is a widely used SEO module for vBulletin that was discontinued last year. This makes the problem worse, as no patches will be released for it.

If you are using VBSEO, you have 3 options:

  1. Completely remove VBSEO from your site – It is not supported anymore
  2. Apply the patch recommended by the vBulletin team
  3. Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

Our research team is looking at this issue and it seems to be a remote, unauthenticated script (HTML) injection vulnerability. It might lead to a full remote command execution, but we have not confirmed it yet. That’s as serious as it can get, since an attacker can use that to inject malware, spam or take down the site.

Update: We have since confirmed that remote code execution vulnerability does in fact exist, which is why the following recommendations should be followed immediately for all affected VBSEO websites.

This is the full email from vBulletin:

Dear VB License Holder,

It has come to our attention that there may be a potential security vulnerability in VBSEO affecting the latest version of the software (and potentially other versions as well). We’ve attempted to contact the vendor, but as they have been non-responsive we felt we should alert the community as many of our customers use this add-on software.

If you think you might be running a vulnerable version of the software, there is a simple fix: just comment out the following lines in the file vbseo/includes/functions_vbseo_hook.php:

if(isset($_REQUEST[‘ajax’]) && isset($_SERVER[‘HTTP_REFERER’]))
$permalinkurl = $_SERVER[‘HTTP_REFERER’].$permalinkurl;

should be changed to:

// if(isset($_REQUEST[‘ajax’]) && isset($_SERVER[‘HTTP_REFERER’]))
// $permalinkurl = $_SERVER[‘HTTP_REFERER’].$permalinkurl;

If you are running the “Suspect File Versions” diagnostics tool, you will additionally need to generate a new MD5 sum of the above file and edit upload/includes/md5_sums_crawlability_vbseo.php to use the new MD5 sum on the line:

Please be aware that you are making these changes at your own risk. We don’t know if making this change affects the terms of your VBSEO license and we can’t be responsible if making this change breaks your site.

CVE-2014-9463 has been assigned to this potential vulnerability by cve.mitre.org.

We will post more details as we investigate.

FacebookTwitterSubscribe

Categories: Vulnerability DisclosureTags: Hacked Websites

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Jay

    January 9, 2015

    Seems the Server[‘referrer’] value is not filtered and will be written directly into the cms template system. This enables persistent XSS.

    • Daniel Cid

      January 12, 2015

      Not only a XSS, but full remote command execution.

      • Jay

        January 12, 2015

        Hi Daniel. I digged deeper into the issue but couldn’t find a usefull attack vector. do you have any clues to a remote command execution? I think there must be preg_replace along with the /e parameter to do such things…

        • Tony Perez

          January 13, 2015

          Please today’s post on the vuln: https://blog.sucuri.net/2015/01/vbseos-vulnerability-leads-to-remote-code-execution.html

  2. Nick Le Mouton

    January 12, 2015

    Daniel do you have a working PoC? I’m reluctant to remove a chunk of code from vbseo without knowing what else it may break. There seems to be very little written about this potential vulnerability.

    • Marc Montpas

      January 12, 2015

      We do, we will publish a follow-up blog post very soon to explain the issue with more details.

      • Nick Le Mouton

        January 12, 2015

        I’ll watch out for it. So far I’ve managed to get a working XSS, but I’m unsure of how to achieve full remote execution.

        • Jay

          January 13, 2015

          Same on our site Nick. Curious for more. There has been code injection in previous version of VBSEO so I’m sure there’s more evil in this one too.

          • Tony Perez

            January 13, 2015

            Gentlemen, see today’s post explaining the vuln: https://blog.sucuri.net/2015/01/vbseos-vulnerability-leads-to-remote-code-execution.html

  3. Joeychgo

    January 14, 2015

    Important to note, vBseo is a Third Party mod, officially, vBulletin has nothing to do with vBseo.

    • Video Game Chat

      January 19, 2015

      *WAS a third party mod. vbseo is not updated/maintained anymore these days in any way shape or form, it’s dead. Everyone reading this who is still using vbseo should look into the free dbseo by dragonbyte tech, available at their site and at vbulletin.org

  4. Stella Brown

    March 13, 2015

    Great post, Yep, I know this vulnerability..

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.