Another website with Magento CMS and security issues...

See: https://www.htbridge.com/websec/?id=Hdlj6Ooy Final grade = F-grade…
Re medium rate issues: https://www.magereport.com/scan/?s=https://www.ajinca.com/
Consider: https://aw-snap.info/file-viewer/?protocol=secure&tgt=www.ajinca.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
Reported on IP: https://www.abuseipdb.com/check/23.88.238.172 & https://urlquery.net/queue/ec44bb2f-050e-42e1-9bdd-6a39af05d835

Over 50 security errors: https://sonarwhal.com/scanner/ef0d4153-6a6f-4821-9c2d-1788979b632c
e.g. ERROR
Cross-origin scripts need a “crossorigin” attribute to be elegible for integrity validation
https://magentocore.net/mage/mage.js:2109:1

polonus

And again the main threat here lies within that PHP-based CMS,
namely this website’s Magento CMS is vulnerable to credit card jacking:
https://www.magereport.com/knowledgebase/how-to-fix-credit-card-hijack
Also read: https://www.byte.nl/blog/widespread-credit-card-hijacking-discovered

And then lack of cross origin integrity validation is not helping much to protect in this respect,
when CMS patches are not being applied also. Info credits go to gwillem.
Hopefully collector servers for this card jacking’s remote locations have been taken down by Dutch Cyber Security Forces.

polonus (volunteer website security analyst and website error-hunter)

A further error report → (script) -magentocore.net/mage/mage.js
status: (referer=wXw.ajinca.com/index.php?m=content&c=rss&catid=10)saved 8768 bytes 1ce93fbd2e18f064d1681fbb0a701fcad40492e8 * see the attached obfuscated code presented as a harmless txt file

error

-www.ajinca.com/media/magentothem/default/loader.gif
info: [decodingLevel=0] found JavaScript
error: undefined variable Mage
error: undefined variable Mage.Cookies
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var Mage.Cookies = 1;
error: line:1: …^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3:
error: line:3: …^
&
[embed] wXw.ajinca.com/media/js/
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete)

Interesting isn’t it? Bitdefender’s Traffic Light blocks the -magentocore.net/mage/mage.js code as a PHISHING attempt!

polonus