vBSEO 3.6.0 PHP code injection
Description
vBSEO 3.6.0, a popular SEO plugin for vBulletin forums, contains a critical code injection vulnerability in the 'proc_deutf()' function located in /includes/functions_vbseocp_abstract.php. The vulnerability exists because user-supplied input from the 'char_repl' POST parameter is not properly sanitized before being passed to the preg_replace() function with the dangerous 'e' modifier enabled. Attackers can exploit this flaw using PHP's complex curly brace syntax to inject and execute arbitrary PHP code on the server without authentication.
Remediation
Apply the following remediation steps immediately:
1. Upgrade vBSEO: Update to the latest patched version of vBSEO that addresses CVE-2012-5223. Contact the vendor for the most recent secure release.
2. Temporary Mitigation: If immediate patching is not possible, disable or restrict access to the vulnerable functionality by implementing input validation for the 'char_repl' parameter. Remove or sanitize any user input before it reaches the preg_replace() function.
3. Code-Level Fix: If modifying the source code, replace preg_replace() calls using the 'e' modifier with preg_replace_callback(), which does not execute code:
// Replace vulnerable code like:
$result = preg_replace($pattern, $replacement, $subject, -1, 'e');
// With secure alternative:
$result = preg_replace_callback($pattern, function($matches) {
// Safe replacement logic here
return $replacement;
}, $subject);4. Post-Remediation: Review server logs for signs of exploitation, scan for web shells or unauthorized files, and consider resetting credentials if compromise is suspected.