Avast is blocking our site biofoto.no

Hi
Avast is as the only scanner blocking our site: https://biofoto.no

We’ve got reports from clients, and it shows up in www.virustotal.com

Regard
Geir

Please break active links to suspect sites to avoid accidental exposure, only post the domain-name or change the https to hXXps to break the link.

VT isn’t the only game in town, and a check on VT indicates the last scan was 27 days ago.
This is very recent - https://www.virustotal.com/gui/url/6acf0627433a327316a883f75b8b40d81500e38e7d89fe71606436bbd9c56bdb?nocache=1 - only two hits. Note Avast doesn’t do on-demand scan for websites, only a live user based scan by the Web Shield.

Considered a Medium Security Risk here - https://sitecheck.sucuri.net/results/biofoto.no - with hardening pointers.
Nothing much found here - https://en.internet.nl/site/biofoto.no/2866764/
Minimal Security Risk here - https://quttera.com/detailed_report/biofoto.no - there a lot of external sites and one of more could have an impact on the reason for an Avast alert. EDIT: though that doesn’t appear to be the case here when I checked. See attached image of the alert click to expand…

These may or may not have an impact.

New location to report both a False Positive and or a False Negative - https://www.avast.com/submit-a-sample#pc URL or File.

Hi geir6,

The WordPress site has two issues:

User Enumeration

The first two user ID’s were tested to determine if user enumeration is possible.

Username Name Two IDs are given.

It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. Take note that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Set User Enumeration to disabled,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Thanks for headsup, - issue is fixed :slight_smile:

Geir

You’re welcome.

Website is still being blocked by Avastonline security.

Two vendors still flag: https://www.virustotal.com/gui/url/6acf0627433a327316a883f75b8b40d81500e38e7d89fe71606436bbd9c56bdb
as being malicious and with hacking.

About code: unquoted property values: There are several instances where property values are not quoted, which can lead to unexpected behaviour. For example, in.editor-document-bar.components-button.has-icon.has-text:hover{background-color:initial;color:v:v:v:var(–wp-block-synced-colour)}, the initial value for background-colour is not quoted.
Unusual selectors: The selectors used in this code are quite complex and might be difficult to maintain or debug. For example, editor-autocompleters__user.editor-autocompleters__no-avatar:before is a very specific selector that might be hard to maintain or update.
Overuse of!important: There are several instances where the important keyword is used to override styles. While it’s sometimes necessary, overusing ! it can lead to maintenance issues and conflicts with other styles.
Lack of semantic HTML: The code seems to be using a lot of custom classes and IDs, which can make it harder to understand the structure of the HTML elements. Using more semantic HTML elements (e.g., , , ) can improve accessibility and search engine optimisation (SEO).
CSS specificity: Some of the styles have very high specificity, which can make it difficult to override them without using!important. This can lead to maintenance issues and conflicts with other styles.

At the hoster Nexthop, I see retirable libraries info:
jquery 3.3.1 Found in -https://nexthop.no/js/minified.min.js _____Vulnerability info:
Medium CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq
Medium CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2
Medium CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6

Keep in mind these are just general recommendations, and whether the site is flagged by various av-vendors could be another issue.

Wait for a final verdict by avast’s,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Some suggestions for the hosting party.

Upgrade jQuery: As mentioned earlier, upgrade to the latest version of jQuery (3.6.0) to fix the vulnerabilities.
Secure coding practices: Implement secure coding practices, such as input validation, output encoding, and secure protocols, to minimise the risk of XSS attacks.
Sanitise user input: Sanitise user-inputted data before passing it to jQuery’s DOM manipulation methods.
Use Content Security Policy (CSP): Implement a CSP to define which sources of content are allowed to be executed.
Audit and fix vulnerabilities: Conduct a thorough audit of the website’s code and fix any identified vulnerabilities.

polonus with A.I.-support

Also consider the recent vulnerabilities found here: https://www.shodan.io/host/185.114.57.86

There is an extra security risk with this: See: https://www.nordhost.no/knowledgebase/556/Files-Create-extra-SFTP-users.html

The system could be attacked, or security could be compromised.

polonus