Work in progress, not done yet....
Remember to add blank lines when removing lines of code, so as not to throw off the line numbering!
Commented!
Before We Begin - What is {REMOVE ONLY}
Editing PHP is not a novice-level activity.
However, many novices will surely follow this guide. And that's just great -- I hope it helps you!
But you need to use some common sense.
(1) You'll see "Old" and "New" code here, with accompanying line numbers. This should be self-explanatory. Find the old code, replace it with the new (or remove it). This guide should work with the recent/final 3.5.x and 3.6.x versions of vBSEO. The exact line numbers are for 3.6.0 only, and may differ slightly on other versions. The code may even differ slightly on older/newer versions.
(2) Do not replace removed code with {REMOVE ONLY}, as it will cause the code to throw PHP errors! {REMOVE ONLY} is in the bbcode block for style only. The code block wasn't left blank because (a) you can't leave [code] bbcode blank, and (b) so I don't get silly replies asking why I "forgot" the code and left it blank. {REMOVE ONLY} is my note to you -- remove the code! Those lines will now be blank. Easy, yes?
If you have questions, ask.
\vbseo\includes\functions_vbseo.php
Line 1350:
Old
Code:
$VBSEO_SHOW_COPYRIGHT = (
New
Code:
$VBSEO_BRANDING_FREE = (
^ This removes the "SEO by vBSEO" tag from the vBulletin footer. It contained a reference back to vbseo.com, and is therefore a security risk now that vbseo.com is under unknown ownernship. All links to vbseo.com and crawability.com must be removed.
___
Line 1394:
Old
Code:
'<a rel="nofollow" href="http://www.vbseo.com/'.VBSEO_AFFILIATE_ID.'/">'.($clinked ? 'vBSEO' : $cp_str).'</a>', $cp_str);
New
Code:
''.($clinked ? 'vBSEO' : $cp_str).'', $cp_str);
^ This strips a reference to vbseo.com from the code.
___
Line 1397-1399:
Old
Code:
$cp_str = str_replace('vBSEO', '<a rel="nofollow" href="http://www.crawlability.com/vbseo/">vBSEO</a>', $cp_str);
if(defined('VBSEO_UNREG'))
$cp_str .= ' (<span style="color:red;font-weight:bold;">'.(preg_match('#^vresp(.*)#',$vboptions['vbseo_confirmation_code'],$unregpm)?$unregpm[1]:'Unregistered').'</span>)';
New
Code:
$cp_str = str_replace('vBSEO', 'vBSEO', $cp_str);
^ This strips a reference to crawlability.com from the code. And the change removes the red "unregistered" nag warning from the vBulletin forum (as shown above), though it does not remove the underlying registration issue.
___
Line 1441-1442:
Old
Code:
if(defined('VBSEO_UNREG_EXPIRED'))
return $newtext;
New
^ This removes a call to a language variable that displays nag warning text.
\vbseo\includes\functions_vbseo_hook.php
Line 52:
Old
Code:
if(defined('VBSEO_UNREG_EXPIRED'))
return ;
New
^ This removes a variable that allows for unregistered versions to exist in this query.
\vbseo\includes\functions_vbseo_startup.php
Line 155:
Old
Code:
vbseo_check_confirmation();
New
^ This is part of the callback ('phone home') function.
___
Line 217-316:
Old
Code:
}
}
function vbseo_check_keys($thekey, &$keys)
{
global $vboptions;
$lic_type = 0;
if (strstr($thekey, $keys[0]))
$lic_type = 1;
else
if (strstr($thekey, $keys[1]))
$lic_type = 2;
else
if (strstr($thekey, $keys[2]))
$lic_type = 3;
else
if (strstr($thekey, $keys[3]))
$lic_type = 4;
$fail_params = array();
if (defined('VBSEO_LICENSE_TYPE'))
{
}
else
{
if (!$lic_type) return false;
define('VBSEO_LICENSE_TYPE', $lic_type);
$type_string = array('', 'Pro', 'Lite', 'Standard', 'Branding free');
define('VBSEO_LICENSE_STR', $type_string[$lic_type]);
switch (VBSEO_LICENSE_TYPE)
{
case 4:
define('VBSEO_BRANDING_FREE', true);
case 1:
define('VBSEO_LICENSE_CRR', true);
break;
case 3:
break;
case 2:
define('VBSEO_LITE', true);
break;
}
}
if (count($fail_params))
{
if (defined('VBSEO_NO_LICENSE_CHECK_5342')) return;
echo 'vBSEO license usage error: ' .
implode(', ', $fail_params) . '<br />Please correct the mentioned issues or contact support@vbseo.com';
exit();
}
return ($lic_type ? true : false);
}
function vbseo_check_confirmation()
{
global $vboptions, $vbulletin, $licresponse;
if (!$vboptions['bburl2'])
return;
$url = $vboptions['bburl'];
if (!strstr($url, '://'))$url = 'http://' . $url;
$purl = @parse_url($url);
$dom = preg_replace('#\bwww\.#', '', $purl['host']);
$vbtop = $dom . VBSEO_VERSION2_MORE;
$vbseo_keys = array(
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
md5(md5($vbtop . '{RANDOM_STRING}')),
);
if (vbseo_check_keys(VBSEO_LICENSE_CODE, $vbseo_keys))
$vboptions['vbseo_confirmation_code'] = VBSEO_LICENSE_CODE;
if (!defined('VBSEO_IS_VBSEOCP') &&
vbseo_check_keys($vboptions['vbseo_confirmation_code'], $vbseo_keys))
return;
$db = vbseo_get_db();
$vbo = vbseo_get_datastore('options');
$vbseoo = vbseo_get_datastore('vbseo_options');
if (!defined('VBSEO_IS_VBSEOCP') && vbseo_check_keys($vbseoo['license'], $vbseo_keys))
{
$vboptions['vbseo_confirmation_code'] = $vbo['vbseo_confirmation_code'] = $vbseoo['license'];
$check_again = false;
}
else
if (!vbseo_check_keys($vboptions['vbseo_confirmation_code'], $vbseo_keys))
{
$qurl = 'http://www.crawlability.com/';
$qurl .= 'vbseo-reg/vbseo-reg.php?vbtop=' . urlencode($vboptions['bburl']) . '&ver=' . urlencode(VBSEO_VERSION2_MORE) . '&t=6&ccode=' . urlencode(substr($vboptions['vbseo_confirmation_code'], 0, 100));
$gq = vbseo_http_query($qurl);
$lcode = substr(preg_replace('#[^\w ]#', '', $gq), 0, 100);
if($lcode)
$vboptions['vbseo_confirmation_code'] = $vbseoo['license'] = $vbo['vbseo_confirmation_code'] = $lcode;
$check_again = true;
}
vbseo_set_datastore('vbseo_options', $vbseoo);
vbseo_set_datastore('options', $vbo);
if (
!vbseo_check_keys($vbo['vbseo_confirmation_code'], $vbseo_keys) && !defined('VBSEO_NO_LICENSE_CHECK_5342'))
{
define('VBSEO_UNREG', true);
if (defined('VBSEO_LITE_DEFAULT'))
define('VBSEO_LITE', true);
if (VBSEO_EXPIRED_MORE)
define('VBSEO_UNREG_EXPIRED', 1);
New
^ This is the main query for the callback ('phone home') function of vBSEO.
This has proven to be dangerous code at least twice now (two major vBSEO breaches over the years), and could again be a potential issue in the future. It should have never existed in the first place. More on that in a bit.
As will explained later, local DNS for crawlability.com/vbseo.com should be set to 127.0.0.1 in you server HOSTS file, for added security. I believe that PHP code references have been removed, but there may be some hiding in the MySQL database.
Also note that {RANDOM_STRING} is my replacement for potentially identifying information.
\vbseo\includes\functions_vbseo_url.php
Line 515:
Old
Code:
if (defined('VBSEO_UNREG_EXPIRED'))return;
New
^ This removes a variable that allows for unregistered versions to exist in this query.
\vbseo\includes\functions_vbseo_vb.php
Line 1077:
Old
Code:
vbseo_int_var($aids);
New
^ This removes the auto-injected affiliate ID.
To be honest, I don't think their affiliate system ever worked. I would even go so far as to suggest that it was intentionally broken. You'd send them traffic, but not get credit for it -- or the commissions for sales!
\vbseo\includes\functions_vbseocp.php
Line 515:
Old
Code:
$lictext = $liccode = $vboptions['vbseo_confirmation_code'];
if(!$liccode)
$lictext = self::lang('contact_license');
if(preg_match('#Unauthorized Upgrade#i', $liccode))
{
$lictext = self::lang('unauth_upgrade');
$liccode = '';
}
$keyvalid = $liccode && ($liccode == vBSEO_Storage::setting('VBSEO_LICENSE_CODE'));
$repl = array(
'version' => VBSEO_VERSION2_MORE.(defined('VBSEO_LICENSE_STR') ? (VBSEO_LICENSE_TYPE==1 ? '' : ' '.VBSEO_LICENSE_STR) : ', Unreg'),
'lic_code' => vBSEO_Storage::setting('VBSEO_LICENSE_CODE'),
'keyclass' => $keyvalid ? 'success' : 'error',
'keycheck' => self::lang($keyvalid ? 'cp_validkey' : 'cp_invalidkey'),
'valid_code_msg' => $lictext,
'valid_class' => $liccode ? 'green' : 'red',
'valid_code' => $liccode,
);
if(!$liccode)
$result['messages'][] = array('attention', self::lang('cannot_retrieve_license'));
New
^ This removes the license text from the vBSEO control panel (usually accessed via the vBulletin admincp).
\vbseo\includes\functions_vbseocp_abstract.php
Line 199:
Old
Code:
'checkver'=> 'http://www.vbseo.com/info/vbseo_checkver.js?ver=' . VBSEO_VERSION2_MORE,
New
^ This removes another callback ('phone home') query that poses a huge security risk. I believe that this was the code that was hacked on vBSEO.com, which led to the widespread hacking from December 2011 and January 2012.
___
Line 511-514:
Old
Code:
unset($settings['VBSEO_LICENSE_CODE']);
global $vboptions;
if($vboptions['vbseo_confirmation_code'])
$settings['VBSEO_LICENSE_CODE'] = $vboptions['vbseo_confirmation_code'];
New
^ This is part of the post-callback that will either allow or deny vBSEO from functioning.
___
Line 592:
Old
Code:
unset($all_settings['VBSEO_LICENSE_CODE']);
New
^ This is also part of the post-callback that will either allow or deny vBSEO from functioning.
Continued in next post...