vBulletin Redirect Exploit

[djbaxter]

We've recently seen both malware alerts and redirection exploits on vBulletin 3.x and 4.x versions. The redirects take links to your site to a link that looks like

[noparse]http://file2store.info/download.php?id=038CBCD4[/noparse]

This is an exploit first reported in 2010: see http://www.vbulletin.com/forum/showthread.php/345283-Secutity-Redirction-to-file2store.info

After trial and error and some research by myself and Linda Buquet at 5 Star Forums, we were led to this:

http://developer.yahoo.com/yui/

Note: All YUI 2.x users should review the YUI 2.8.2 security bulletin, which discusses a vulnerability present in YUI 2.4.0-2.8.1. If you host an a YUI 2.4.0-2.8.1 distribution, you need to take action — review the bulletin for full details.

If you know how to do it, you can upgrade the YUI version for your installation. Do NOT use the built in vBulletin YUI files since they are an older version (still, as of vBulletin 4.13).

In the meantime, do this:

1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
2. Scroll down to Use Remote YUI
3. Set this to Google

 

[The Sandman]

We've recently seen both malware alerts and redirection exploits on vBulletin 3.x and 4.x versions. The redirects take links to your site to a link that looks like

[noparse]http://file2store.info/download.php?id=038CBCD4[/noparse]

This is an exploit first reported in 2010: see http://www.vbulletin.com/forum/showthread.php/345283-Secutity-Redirction-to-file2store.info

After trial and error and some research by myself and Linda Buquet at 5 Star Forums, we were led to this:

http://developer.yahoo.com/yui/



If you know how to do it, you can upgrade the YUI version for your installation. Do NOT use the built in vBulletin YUI files since they are an older version (still, as of vBulletin 4.13).

In the meantime, do this:

1. Admin CP >> Settings >> Options >> Server Settings and Optimization Options
2. Scroll down to Use Remote YUI
3. [HIGHLIGHT]Set this to Google[/HIGHLIGHT]

Set to Google, or Yahoo?

 

[MarkR]

Thanks for the heads up!

In my options it only has "Yes" or "No", yes being it's set to Yahoo.

 

[djbaxter]

Set to Google or update to the newer version of the Yahoo YUI files. The old Yahoo version (which vBulletin references or uses) is compromised.

Give me a second and I'll tell you what to change to access the newer Yahoo YUI if you can't switch to Google.

 

[DaUnknownAdmin]

thanks for the info

 

[djbaxter]

Here you go. See http://articles.digitalpoint.com/content.php?r=7-Optimize-vBulletin-4

Use YUI 2.8.2 (or 2.9.x)
vBulletin 4.x currently ships with an outdated version of Yahoo User Interface (version 2.7.0). You can simply replace 2.7.0 with 2.9.x without any problems (2.8.x has a number of bug fixes, and so does 2.9.x).

The easiest way to do this is to go to Settings -> Options -> Server Settings and Optimization Options and make sure your Use Remote YUI setting is set to use Yahoo or Google remote hosting. Then edit your includes/class_core.php file and change this line:

define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle

to this:

define('YUI_VERSION', '2.8.2'); // define the YUI version we bundle

Note: When I tried using 2.90 on 4.13, I got errors. If this happens to you, use 2.82 or set the option to Google. -- Ignore. I was editing the 4.06 version of the file and trying to use it with 4.13.

Added:

I found that version 2.82 interfered with some functions in vBulletin 4.13. Use 2.90 instead:

define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle

 

[MarkR]

Is this same method possible with vBulletin 3.x?

 

[djbaxter]

Just checking....

 

[Iconic]

Thanks for telling us that!

 

[djbaxter]

It should. Open /includes/class_core.php and find at line 15:

define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle, used for external YUI

Change version to 2.8.2 as described above. Let me know if it generates errors.

 

[djbaxter]

I just tried it on a 3.83 and it seems to have worked.

 

[MarkR]

Thank you very much minstrel, for both the heads up and the how-to.

Edit: Looks like I have to spread some more reputation before I can give more to you . Darn system!

 

[Adam H]

Thanks for that, I think i have all mine set to google anyway but ill go and make sure now just incase.

 

[djbaxter]

Steve Machol at vBulletin has indicated that they will be issuing a patch shortly but confirms that you should switch to the Google libraries for now.

 

[Adam H]

It seems it was a good idea i double checked , one site was using yahoo , Thanks David for the heads up.

 

[wanksta]

It should. Open /includes/class_core.php and find at line 15:

define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle, used for external YUI

Change version to 2.82 as described above. Let me know if it generates errors.

Thank you very much for the heads up mate!

I am a little hesitant on changing this at the moment on a production level what is the worst case scenario if I amend that php file with your provided instructions?

Secondly how can I test to see if it is working once I amend the php file as per your post?

I am running 3.8.6...

 

[djbaxter]

Do a View Source. Youll be able to see "2.8.2" in the headers.

 

[SiteOwnersClub]

Thanks changed mine to google.

This exploit has been reported since March 2010, and it has taken this long to acknowledge (let alone fix)

 

[Calash]

I just tried it on a 3.83 and it seems to have worked.

My install of 3.8 was using the external Google, yet it still showed the 2.7.0 version in the source. I applied the update to the class_core.php and now it is showing the 2.8.2.

 

[djbaxter]

My install of 3.8 was using the external Google, yet it still showed the 2.7.0 version in the source. I applied the update to the class_core.php and now it is showing the 2.8.2.

Yes. Even using the Google YUI seems to fix it but why vBulletin is still using 2.70 is beyond me. In 2010, the excuse was that sometimes new versions of YUI might have bugs. Yeah well sometimes old versions have bugs too.