#1  
07-31-2014, 08:27 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 376 Times in 342 Posts
Work in progress, not done yet....

Remember to add blank lines when removing lines of code, so as not to throw off the line numbering!

Commented!



Before We Begin - What is {REMOVE ONLY}

Editing PHP is not a novice-level activity.

However, many novices will surely follow this guide. And that's just great -- I hope it helps you!

But you need to use some common sense.

(1) You'll see "Old" and "New" code here, with accompanying line numbers. This should be self-explanatory. Find the old code, replace it with the new (or remove it). This guide should work with the recent/final 3.5.x and 3.6.x versions of vBSEO. The exact line numbers are for 3.6.0 only, and may differ slightly on other versions. The code may even differ slightly on older/newer versions.

(2) Do not replace removed code with {REMOVE ONLY}, as it will cause the code to throw PHP errors! {REMOVE ONLY} is in the bbcode block for style only. The code block wasn't left blank because (a) you can't leave [code] bbcode blank, and (b) so I don't get silly replies asking why I "forgot" the code and left it blank. {REMOVE ONLY} is my note to you -- remove the code! Those lines will now be blank. Easy, yes?

If you have questions, ask.



\vbseo\includes\functions_vbseo.php

Line 1350:

Old
Code:
$VBSEO_SHOW_COPYRIGHT = (
New
Code:
$VBSEO_BRANDING_FREE = (
^ This removes the "SEO by vBSEO" tag from the vBulletin footer. It contained a reference back to vbseo.com, and is therefore a security risk now that vbseo.com is under unknown ownernship. All links to vbseo.com and crawability.com must be removed.

___

Line 1394:

Old
Code:
'<a rel="nofollow" href="http://www.vbseo.com/'.VBSEO_AFFILIATE_ID.'/">'.($clinked ? 'vBSEO' : $cp_str).'</a>', $cp_str);
New
Code:
''.($clinked ? 'vBSEO' : $cp_str).'', $cp_str);
^ This strips a reference to vbseo.com from the code.

___

Line 1397-1399:

Old
Code:
$cp_str = str_replace('vBSEO', '<a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a>', $cp_str);
if(defined('VBSEO_UNREG'))
$cp_str .= ' (<span style="color:red;font-weight:bold;">'.(preg_match('#^vresp(.*)#',$vboptions['vbseo_confirmation_code'],$unregpm)?$unregpm[1]:'Unregistered').'</span>)';
New
Code:
$cp_str = str_replace('vBSEO', 'vBSEO', $cp_str);
^ This strips a reference to crawlability.com from the code. And the change removes the red "unregistered" nag warning from the vBulletin forum (as shown above), though it does not remove the underlying registration issue.

___

Line 1441-1442:


Old
Code:
if(defined('VBSEO_UNREG_EXPIRED'))
return $newtext;
New
Code:
{REMOVE ONLY}
^ This removes a call to a language variable that displays nag warning text.



\vbseo\includes\functions_vbseo_hook.php

Line 52:

Old
Code:
if(defined('VBSEO_UNREG_EXPIRED'))
return ;
New
Code:
{REMOVE ONLY}
^ This removes a variable that allows for unregistered versions to exist in this query.



\vbseo\includes\functions_vbseo_startup.php

Line 155:

Old
Code:
vbseo_check_confirmation();
New
Code:
{REMOVE ONLY}
^ This is part of the callback ('phone home') function.

___

Line 217-316:

Old
Code:
}
}
function vbseo_check_keys($thekey, &$keys)
{
global $vboptions;
$lic_type = 0;
if (strstr($thekey, $keys[0]))
$lic_type = 1; 
else
if (strstr($thekey, $keys[1]))
$lic_type = 2; 
else
if (strstr($thekey, $keys[2]))
$lic_type = 3; 
else
if (strstr($thekey, $keys[3]))
$lic_type = 4; 
$fail_params = array();
if (defined('VBSEO_LICENSE_TYPE'))
{
}
else
{
if (!$lic_type) return false;
define('VBSEO_LICENSE_TYPE', $lic_type);
$type_string = array('', 'Pro', 'Lite', 'Standard', 'Branding free');
define('VBSEO_LICENSE_STR', $type_string[$lic_type]);
switch (VBSEO_LICENSE_TYPE)
{
case 4:
define('VBSEO_BRANDING_FREE', true);
case 1:
define('VBSEO_LICENSE_CRR', true);
break;
case 3:
break;
case 2:
define('VBSEO_LITE', true);
break;
}
}
if (count($fail_params))
{
if (defined('VBSEO_NO_LICENSE_CHECK_5342')) return;
echo 'vBSEO license usage error: ' .
implode(', ', $fail_params) . '<br />Please correct the mentioned issues or contact support@vbseo.com';
exit();
}
return ($lic_type ? true : false);
}
function vbseo_check_confirmation()
{
global $vboptions, $vbulletin, $licresponse;
if (!$vboptions['bburl2'])
return;
$url = $vboptions['bburl'];
if (!strstr($url, '://'))$url = 'http://' . $url;
$purl = @parse_url($url);
$dom = preg_replace('#\bwww\.#', '', $purl['host']);
$vbtop = $dom . VBSEO_VERSION2_MORE;
$vbseo_keys = array(
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
);
if (vbseo_check_keys(VBSEO_LICENSE_CODE, $vbseo_keys))
$vboptions['vbseo_confirmation_code'] = VBSEO_LICENSE_CODE;
if (!defined('VBSEO_IS_VBSEOCP') && 
vbseo_check_keys($vboptions['vbseo_confirmation_code'], $vbseo_keys)) 
return;
$db = vbseo_get_db();
$vbo = vbseo_get_datastore('options');
$vbseoo = vbseo_get_datastore('vbseo_options');
if (!defined('VBSEO_IS_VBSEOCP') && vbseo_check_keys($vbseoo['license'], $vbseo_keys))
{
$vboptions['vbseo_confirmation_code'] = $vbo['vbseo_confirmation_code'] = $vbseoo['license'];
$check_again = false;
}
else
if (!vbseo_check_keys($vboptions['vbseo_confirmation_code'], $vbseo_keys))
{                                 
$qurl = 'http://www.crawlability.com/';
$qurl .= 'vbseo-reg/vbseo-reg.php?vbtop=' . urlencode($vboptions['bburl']) . '&ver=' . urlencode(VBSEO_VERSION2_MORE) . '&t=6&ccode=' . urlencode(substr($vboptions['vbseo_confirmation_code'], 0, 100));
$gq = vbseo_http_query($qurl);
$lcode = substr(preg_replace('#[^\w ]#', '', $gq), 0, 100);
if($lcode)
$vboptions['vbseo_confirmation_code'] = $vbseoo['license'] = $vbo['vbseo_confirmation_code'] = $lcode;
$check_again = true;
}
vbseo_set_datastore('vbseo_options', $vbseoo);
vbseo_set_datastore('options', $vbo);
if (
!vbseo_check_keys($vbo['vbseo_confirmation_code'], $vbseo_keys) && !defined('VBSEO_NO_LICENSE_CHECK_5342'))
{
define('VBSEO_UNREG', true);
if (defined('VBSEO_LITE_DEFAULT'))
define('VBSEO_LITE', true);
if (VBSEO_EXPIRED_MORE)
define('VBSEO_UNREG_EXPIRED', 1);
New
Code:
{REMOVE ONLY}
^ This is the main query for the callback ('phone home') function of vBSEO.

This has proven to be dangerous code at least twice now (two major vBSEO breaches over the years), and could again be a potential issue in the future. It should have never existed in the first place. More on that in a bit.

As will explained later, local DNS for crawlability.com/vbseo.com should be set to 127.0.0.1 in you server HOSTS file, for added security. I believe that PHP code references have been removed, but there may be some hiding in the MySQL database.

Also note that {RANDOM_STRING} is my replacement for potentially identifying information.



\vbseo\includes\functions_vbseo_url.php

Line 515:


Old
Code:
if (defined('VBSEO_UNREG_EXPIRED'))return;
New
Code:
{REMOVE ONLY}
^ This removes a variable that allows for unregistered versions to exist in this query.



\vbseo\includes\functions_vbseo_vb.php

Line 1077:


Old
Code:
vbseo_int_var($aids);
New
Code:
{REMOVE ONLY}
^ This removes the auto-injected affiliate ID.

To be honest, I don't think their affiliate system ever worked. I would even go so far as to suggest that it was intentionally broken. You'd send them traffic, but not get credit for it -- or the commissions for sales!



\vbseo\includes\functions_vbseocp.php

Line 515:


Old
Code:
$lictext = $liccode = $vboptions['vbseo_confirmation_code'];
if(!$liccode)
$lictext = self::lang('contact_license');
if(preg_match('#Unauthorized Upgrade#i', $liccode))
{
$lictext = self::lang('unauth_upgrade');
$liccode = '';
}
$keyvalid = $liccode && ($liccode == vBSEO_Storage::setting('VBSEO_LICENSE_CODE'));
$repl = array(                                                        
'version' => VBSEO_VERSION2_MORE.(defined('VBSEO_LICENSE_STR') ? (VBSEO_LICENSE_TYPE==1 ? '' : ' '.VBSEO_LICENSE_STR) : ', Unreg'),
'lic_code' => vBSEO_Storage::setting('VBSEO_LICENSE_CODE'),
'keyclass' => $keyvalid ? 'success' : 'error',
'keycheck' => self::lang($keyvalid ? 'cp_validkey' : 'cp_invalidkey'),
'valid_code_msg' => $lictext,
'valid_class' => $liccode ? 'green' : 'red',
'valid_code' => $liccode,
);
if(!$liccode)
$result['messages'][] = array('attention', self::lang('cannot_retrieve_license'));
New
Code:
{REMOVE ONLY}
^ This removes the license text from the vBSEO control panel (usually accessed via the vBulletin admincp).



\vbseo\includes\functions_vbseocp_abstract.php

Line 199:

Old
Code:
'checkver'=> 'http://www.vbseo.com/info/vbseo_checkver.js?ver=' . VBSEO_VERSION2_MORE,
New
Code:
{REMOVE ONLY}
^ This removes another callback ('phone home') query that poses a huge security risk. I believe that this was the code that was hacked on vBSEO.com, which led to the widespread hacking from December 2011 and January 2012.

___

Line 511-514:

Old
Code:
unset($settings['VBSEO_LICENSE_CODE']);
global $vboptions;
if($vboptions['vbseo_confirmation_code'])
$settings['VBSEO_LICENSE_CODE'] = $vboptions['vbseo_confirmation_code'];
New
Code:
{REMOVE ONLY}
^ This is part of the post-callback that will either allow or deny vBSEO from functioning.

___

Line 592:


Old
Code:
unset($all_settings['VBSEO_LICENSE_CODE']);
New
Code:
{REMOVE ONLY}
^ This is also part of the post-callback that will either allow or deny vBSEO from functioning.


Continued in next post...

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
07-31-2014, 10:34 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 376 Times in 342 Posts


\vbseo\resources\html\cp_crrs.html

Line 5:

Old
Code:
<li><a href="http://www.vbseo.com/info/crr-maker-ajax.html" target="_blank" class="default-tab">{lang:crr_creator_link}</a></li>
New
Code:
<li>{lang:crr_creator_link}</li>


\vbseo\resources\html\cp_dashboard.html

Line 9:

Old
Code:
<li><a href="#tab1" class="default-tab">{lang:cp_licinfo}</a></li>
New
Code:
<li><a href="#tab1" class="default-tab">vBSEO Info</a></li>
Line 20-34:

Old
Code:
                                <p>{lang:cp_validkey}: <span class="{var:valid_class}"><b id="c_validkey">{var:valid_code_msg}</b></span></p>
                                <p>{lang:key_config}</p>
                                <form action="" method="post">
                                    <fieldset>
                                        <p>
                                            <label>{lang:current_key}</label>
                                            <input name="setting[VBSEO_LICENSE_CODE]" type="text" class="text-input medium-input" value="{var:lic_code}" /> 
                                            <span class="input-notification {var:keyclass} png_bg">{var:keycheck}</span>
                                            <br /><small>{lang:cp_mustmatch}</small>
                                        </p>
                                        <p>
                                            <input class="button" type="submit" value="{lang:cp_save}" onclick="return vbseocp.submit_form()" />
                                        </p>
                                    </fieldset>
                                </form>
New
Code:
{REMOVE ONLY}


\vbseo\resources\html\vbseocp.html

Line 179:

Old
Code:
<script type="text/javascript" src="{var:checkver}"></script>
New
Code:
{REMOVE ONLY}


\vbseo\resources\xml\config.xml

Line 11-14:

Old
Code:
<setting>
<name>VBSEO_LICENSE_CODE</name>
<value>{YOUR_KEY_IS_HERE!}</value>
</setting>
New
Code:
{REMOVE ONLY}
Note: {YOUR_KEY_IS_HERE!} is my change, as this code contains identifiable information.



{forum_root}\vbseo.php

Line 65

Old
Code:
$vbseo_proc = VBSEO_ENABLED && !defined('VBSEO_UNREG_EXPIRED');
New
Code:
$vbseo_proc = VBSEO_ENABLED;


{forum_root}\vbseocp.php

Line 114:

Old
Code:
if(!$vboptions['vbseo_confirmation_code'] ||
($vboptions['vbseo_confirmation_code'] != vBSEO_Storage::setting('VBSEO_LICENSE_CODE')))
$result['messages'][] = array('error', vBSEO_CP::lang('invalidkey_notice'));
New
Code:
{REMOVE ONLY}
For security reasons, this file should be renamed, if you've not done so already.
Rename it to whatever you want, then edit \includes\xml\cpnav_vbseo.xml and edit line 6 with the new filename:
Code:
            <link>../anothername_vbseocp.php</link>

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #3  
07-31-2014, 11:08 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 376 Times in 342 Posts
Optional change to language files only.

These changes must be made in whatever XML language file is in use! Since I only use the English one, that's the one being shown here. (Tip: Any language not in use is a file that you should not keep on the server!)



\vbseo\resources\xml\vpseocp_english.xml

Line 324-335:

Old
Code:
     <message>
        <name>license_desc</name>
        <value>&lt;b&gt;Your vBSEO License Key&lt;/b&gt;</value>
    </message>
    <message>
        <name>key_config</name>
        <value>Your key changes with &lt;strong&gt;a new vBSEO version&lt;/strong&gt; OR &lt;strong&gt;a change in forum URL&lt;/strong&gt;. Save your Valid key (displayed above) by entering it in the field below.</value>
    </message>
    <message>
        <name>current_ver</name>
        <value>Current version</value>
    </message>
New
Code:
{REMOVE ONLY}
___

Line 340-355:

Old
Code:
    <message>
        <name>current_key</name>
        <value>Your current key</value>
    </message>
    <message>
        <name>contact_license</name>
        <value>Contact &lt;a href&quot;mailto:licenses@crawlability.com&quot;&gt;licenses@crawlability.com&lt;/a&gt;</value>
    </message>
    <message>
        <name>cannot_retrieve_license</name>
        <value>vBSEO was unable to retrieve a 'Valid key' for your site. This occurs if vBSEO has not been licensed for your domain OR if the system was unable to establish a network connection to retrieve the key. Please contact &lt;a href=&quot;mailto:licenses@crawlability.com&quot;&gt;licenses@crawlability.com&lt;/a&gt;, or open a support ticket at &lt;a href=&quot;http://www.vbseo.com/support/&quot;&gt;http://www.vbseo.com/support/&lt;/a&gt; to get your license key.</value>
    </message>
    <message>
        <name>unauth_upgrade</name>
        <value>It appears this domain is not licensed for the vBSEO version your are attempting to install. Visit the &lt;a href&quot;https://www.vbseo.com/downloads/&quot;&gt;downloads area&lt;/a&gt; to renew your license, or revert to a previous vBSEO version valid for your domain.</value>
    </message>
New
Code:
{REMOVE ONLY}
___

Line 2927:


Old
Code:
    <message>
        <name>cp_licinfo</name>
        <value>License Information</value>
    </message>
New
Code:
{REMOVE ONLY}
___

Line 2937-2949:

Old
Code:
<value>License Key &amp; Data Backup</value>
    </message>
    <message>
        <name>cp_validkey</name>
        <value>Valid key</value>
    </message>
    <message>
        <name>cp_mustmatch</name>
        <value>This number must match the &quot;Valid key&quot; listed above</value>
    </message>
    <message>
        <name>cp_invalidkey</name>
        <value>Invalid key</value>
New
Code:
{REMOVE ONLY}
___

Line 3155-3159:


Old
Code:
<message>
        <name>invalidkey_notice</name>
        <value>Your 'current' license key does not match your valid key, please license your vBSEO instance by saving your valid key as your 'current' license key. </value>
    </message>
New
Code:
{REMOVE ONLY}

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #4  
07-31-2014, 02:40 PM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 376 Times in 342 Posts
Preface

Warning! Do not use "nulled"/hacked copies. Analyzed 3 copies, all had obfuscated/encrypted code, at least one was malicious. The "validator.php" is complete nonsense -- totally useless, easy to rewrite and re-obfuscate/encrypt with malicious code.

^ First instinct wrong

history and downfall of vbseo - information gathered online
- lack of thrust
- cost + feeling that vB should already incorporate friendly URLs in the core code (and eventually, it did)
- warring siblings, Puerto Rico (part of U.S. for politically challenged)
- typical "kiddie business" -- at least give us steps to fix! (others have);
- stole my money IMO;
- no support (only one ticket ever, after waiting 3 weeks with 2 bumps), lost $1000+ due to negligence (stupid phone home) from hack == link to analysis from Jan 2012 http://www.digitalfaq.com/forum/web-...k-exploit.html

blow-off analysis
Quote:
What do they do?
None of the plugins have a particularly offending code, they simply "listen" for incoming requests from a third party. In a compromised board, the code is passed via a cookie or POST request as described previously, this is dangerous in the sense that a request can be *anything*. However, what we have seen appears to be a link-stealer for outbound traffic and doesn't necessarily expose any information or passwords of your site. It is always a good idea to update your ftp, server, vb admin, vbseocp, and even any htaccess passwords on your server as a precaution.
As owners, we'll do whatever is best

VPS or dedicated hosting only, shared not suggested


Conclusion / Disclaimer

kiss my ass. We bought the software, vBSEO was in violation of the license -- not us.

Phone home was a horrible idea, bungled multiple times. Greed caused it to be put there, yet removing this nonsense was fairly easy to do, if you have some PHP editing skills. Sadly, most do not.


Attached Images
File Type: jpg vbulletin-unregistered-nag.jpg (2.3 KB, 0 downloads)

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
Remove characters from URL vBulletin vBSEO ~`!@#$%^&*()+={}[]|;:'"<>,.? admin Website and Server Troubleshooting 0 03-14-2011 11:27 PM
VBSEO + page 'uses an invalid or unsupported form of compression' admin Website and Server Troubleshooting 3 03-14-2011 11:24 PM

Thread Tools



 
All times are GMT -5. The time now is 09:12 AM