Admins advised to select a different tool for the SEO job

Jan 8, 2015 21:30 GMT  ·  By

An alert from the vBulletin developer team informs customers of a security vulnerability in vBSEO, a solution for search engine optimization for the content available on forums running vBulletin.

Admins expecting the release of an update to fix the issue should be aware that development on the vBSEO project stopped last year.

In the communication from vBulletin, users are informed that despite the package now being defunct, there is a solution for the issue. This consists in commenting out a couple lines of code inside vbseo/includes/functions_vbseo_hook.php.

The two lines in question are the following:

// if(isset($_REQUEST[‘ajax’]) && isset($_SERVER[‘HTTP_REFERER’])) // $permalinkurl = $_SERVER[‘HTTP_REFERER’].$permalinkurl;

In case the Suspect File Versions diagnostics tool is also run, then a new MD5 should be generated for the affected file and take the necessary steps for the new hash sum to be recognized as valid.

However, vBulletin warns in the email that making the above modification has no guarantee that exploiting the security flaw (tracked as CVE-2014-9463) would no longer be possible, and that the team is not responsible should something go wrong.

Wayne Luke, technical support lead at vBulletin, says that the issue has been discovered by “other Internet Brands [vBulletin’s parent company] verticals and also fixed by them.” vBulletin simply relayed the message to the customers that may be impacted.

The recommendation for the admins is to remove vBSEO from the system and select a different tool, that is being actively developed, for the optimization purpose.