Serious Vulnerability in VBSEO

The vBulletin team sent an email yesterday to all their clients about a potential security vulnerability in VBSEO. VBSEO is a widely used SEO module for vBulletin that was discontinued last year. This makes the problem worse, as no patches will be released for it.

If you are using VBSEO, you have 3 options:

Completely remove VBSEO from your site – It is not supported anymore
Apply the patch recommended by the vBulletin team
Put your site behind a Website Firewall, this will prevent the exploitation of this vulnerability and many others.

Our research team is looking at this issue and it seems to be a remote, unauthenticated script (HTML) injection vulnerability. It might lead to a full remote command execution, but we have not confirmed it yet. That’s as serious as it can get, since an attacker can use that to inject malware, spam or take down the site.

Update: We have since confirmed that remote code execution vulnerability does in fact exist, which is why the following recommendations should be followed immediately for all affected VBSEO websites.

This is the full email from vBulletin:

Dear VB License Holder,
It has come to our attention that there may be a potential security vulnerability in VBSEO affecting the latest version of the software (and potentially other versions as well). We’ve attempted to contact the vendor, but as they have been non-responsive we felt we should alert the community as many of our customers use this add-on software.
If you think you might be running a vulnerable version of the software, there is a simple fix: just comment out the following lines in the file vbseo/includes/functions_vbseo_hook.php:
if(isset($_REQUEST[‘ajax’]) && isset($_SERVER[‘HTTP_REFERER’]))
$permalinkurl = $_SERVER[‘HTTP_REFERER’].$permalinkurl;
should be changed to:
// if(isset($_REQUEST[‘ajax’]) && isset($_SERVER[‘HTTP_REFERER’]))
// $permalinkurl = $_SERVER[‘HTTP_REFERER’].$permalinkurl;
If you are running the “Suspect File Versions” diagnostics tool, you will additionally need to generate a new MD5 sum of the above file and edit upload/includes/md5_sums_crawlability_vbseo.php to use the new MD5 sum on the line:
Please be aware that you are making these changes at your own risk. We don’t know if making this change affects the terms of your VBSEO license and we can’t be responsible if making this change breaks your site.
CVE-2014-9463 has been assigned to this potential vulnerability by cve.mitre.org.

We will post more details as we investigate.

12 comments

Jay says:
January 9, 2015 at 7:50 am
Seems the Server[‘referrer’] value is not filtered and will be written directly into the cms template system. This enables persistent XSS.
1. Daniel Cid says:
  January 12, 2015 at 11:45 am
  Not only a XSS, but full remote command execution.
  1. Jay says:
    January 12, 2015 at 3:14 pm
    Hi Daniel. I digged deeper into the issue but couldn’t find a usefull attack vector. do you have any clues to a remote command execution? I think there must be preg_replace along with the /e parameter to do such things…
    1. Tony Perez says:
      January 13, 2015 at 1:21 pm
      Please today’s post on the vuln: https://blog.sucuri.net/2015/01/vbseos-vulnerability-leads-to-remote-code-execution.html
Nick Le Mouton says:
January 12, 2015 at 5:46 pm
Daniel do you have a working PoC? I’m reluctant to remove a chunk of code from vbseo without knowing what else it may break. There seems to be very little written about this potential vulnerability.
1. Marc Montpas says:
  January 12, 2015 at 6:53 pm
  We do, we will publish a follow-up blog post very soon to explain the issue with more details.
  1. Nick Le Mouton says:
    January 12, 2015 at 7:31 pm
    I’ll watch out for it. So far I’ve managed to get a working XSS, but I’m unsure of how to achieve full remote execution.
    1. Jay says:
      January 13, 2015 at 4:30 am
      Same on our site Nick. Curious for more. There has been code injection in previous version of VBSEO so I’m sure there’s more evil in this one too.
      1. Tony Perez says:
        January 13, 2015 at 1:21 pm
        Gentlemen, see today’s post explaining the vuln: https://blog.sucuri.net/2015/01/vbseos-vulnerability-leads-to-remote-code-execution.html
Joeychgo says:
January 14, 2015 at 12:25 pm
Important to note, vBseo is a Third Party mod, officially, vBulletin has nothing to do with vBseo.
1. Video Game Chat says:
  January 19, 2015 at 4:25 pm
  *WAS a third party mod. vbseo is not updated/maintained anymore these days in any way shape or form, it’s dead. Everyone reading this who is still using vbseo should look into the free dbseo by dragonbyte tech, available at their site and at vbulletin.org
Stella Brown says:
March 13, 2015 at 6:08 pm
Great post, Yep, I know this vulnerability..