vBulletin Redirect Exploit

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
We've recently seen both malware alerts and redirection exploits on vBulletin 3.x and 4.x versions. The redirects take links to your site to a link that looks like

[noparse]http://file2store.info/download.php?id=038CBCD4[/noparse]

This is an exploit first reported in 2010: see http://www.vbulletin.com/forum/showthread.php/345283-Secutity-Redirction-to-file2store.info

After trial and error and some research by myself and Linda Buquet at 5 Star Forums, we were led to this:

http://developer.yahoo.com/yui/

Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action — review the bulletin for full details.

If you know how to do it, you can upgrade the YUI version for your installation. Do NOT use the built in vBulletin YUI files since they are an older version (still, as of vBulletin 4.13).

In the meantime, do this:

  1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
  2. Scroll down to Use Remote YUI
  3. Set this to Google
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,139
We've recently seen both malware alerts and redirection exploits on vBulletin 3.x and 4.x versions. The redirects take links to your site to a link that looks like

[noparse]http://file2store.info/download.php?id=038CBCD4[/noparse]

This is an exploit first reported in 2010: see http://www.vbulletin.com/forum/showthread.php/345283-Secutity-Redirction-to-file2store.info

After trial and error and some research by myself and Linda Buquet at 5 Star Forums, we were led to this:

http://developer.yahoo.com/yui/



If you know how to do it, you can upgrade the YUI version for your installation. Do NOT use the built in vBulletin YUI files since they are an older version (still, as of vBulletin 4.13).

In the meantime, do this:

  1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
  2. Scroll down to Use Remote YUI
  3. [HIGHLIGHT]Set this to Google[/HIGHLIGHT]

Set to Google, or Yahoo?
 

MarkR

Fan
Joined
Dec 10, 2008
Messages
600
Thanks for the heads up! :)

In my options it only has "Yes" or "No", yes being it's set to Yahoo.
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
Set to Google or update to the newer version of the Yahoo YUI files. The old Yahoo version (which vBulletin references or uses) is compromised.

Give me a second and I'll tell you what to change to access the newer Yahoo YUI if you can't switch to Google.
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
Here you go. See http://articles.digitalpoint.com/content.php?r=7-Optimize-vBulletin-4

Use YUI 2.8.2 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:

PHP:
define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle


to this:

PHP:
define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle


Note: When I tried using 2.90 on 4.13, I got errors. If this happens to you, use 2.82 or set the option to Google. -- Ignore. I was editing the 4.06 version of the file and trying to use it with 4.13.

Added:

I found that version 2.82 interfered with some functions in vBulletin 4.13. Use 2.90 instead:

PHP:
define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
It should. Open /includes/class_core.php and find at line 15:

PHP:
define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle, used for external YUI

Change version to 2.8.2 as described above. Let me know if it generates errors.
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
I just tried it on a 3.83 and it seems to have worked.
 

MarkR

Fan
Joined
Dec 10, 2008
Messages
600
Thank you very much minstrel, for both the heads up and the how-to.

Edit: Looks like I have to spread some more reputation before I can give more to you :p. Darn system!
 
Last edited:

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,040
Thanks for that, I think i have all mine set to google anyway but ill go and make sure now just incase.
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
Steve Machol at vBulletin has indicated that they will be issuing a patch shortly but confirms that you should switch to the Google libraries for now.
 

Adam H

** Retired **
Joined
Jun 22, 2008
Messages
2,040
It seems it was a good idea i double checked , one site was using yahoo :) , Thanks David for the heads up.
 

wanksta

Internet Sweatshop
Joined
Jul 29, 2009
Messages
425
It should. Open /includes/class_core.php and find at line 15:

PHP:
define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle, used for external YUI

Change version to 2.82 as described above. Let me know if it generates errors.
Thank you very much for the heads up mate!

I am a little hesitant on changing this at the moment on a production level what is the worst case scenario if I amend that php file with your provided instructions?

Secondly how can I test to see if it is working once I amend the php file as per your post?

I am running 3.8.6...
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
Do a View Source. Youll be able to see "2.8.2" in the headers.
 

SiteOwnersClub

Enthusiast
Joined
May 3, 2011
Messages
190
Thanks changed mine to google.

This exploit has been reported since March 2010, and it has taken this long to acknowledge (let alone fix):confused:
 

Calash

Habitué
Joined
Mar 9, 2006
Messages
1,151
I just tried it on a 3.83 and it seems to have worked.

My install of 3.8 was using the external Google, yet it still showed the 2.7.0 version in the source. I applied the update to the class_core.php and now it is showing the 2.8.2.
 

djbaxter

Tazmanian Veteran
Joined
Jun 6, 2006
Messages
10,473
My install of 3.8 was using the external Google, yet it still showed the 2.7.0 version in the source. I applied the update to the class_core.php and now it is showing the 2.8.2.

Yes. Even using the Google YUI seems to fix it but why vBulletin is still using 2.70 is beyond me. In 2010, the excuse was that sometimes new versions of YUI might have bugs. Yeah well sometimes old versions have bugs too. :rolleyes:
 
Top