See: http://killmalware.com/aaqnet.com/#Results from scanning URL: htxp://www.theincubationfactory.com/xmlrpc.php
via
htxp://lacreatina.net/wp-content/plugins/bwp-minify/min/?f=wp-content/themes/ctr-theme/js/column-align.js,wp-content/plugins/wp-seo-images/assets/js/admin.js
via: htxp://s.gravatar.com/js/gprofiles.js?ver=2014Octaa
via: htxp://stats.wp.com/e-201441.js
via: htxp://s.gravatar.com/js/gprofiles.js?ver=2014Octaa
via: htxp://stats.wp.com/e-201441.js
going to: -//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Malicious: http://zulu.zscaler.com/submission/show/e7857efdb5f98f7620d258fdf2f59c39-1413136296
warnings on site: https://asafaweb.com/Scan?Url=aaqnet.com%2Findex.html
Blacklisted by Google Safebrowsing
polonus
So what is in that code there that is open to be manipulated? Sink is data in var data=
We can edit and enter the data by hand. Furthermore: .location and inner.HTML.
See for script code: http://jsunpack.jeek.org/?report=d335f2a8a759d660a75966b00df2d4143e6d942b
For security research only, open above link with NoScript active and inside a VM.
See:
This in the code is “not defined” for referer -html5shiv.googlecode.com/svn/trunk/html5.js
Read broken for IE: https://www.drupal.org/node/2025611
Patch - diff --git a/templates/html.tpl.php b/templates/html.tpl.php
index a1c9c70..79d5cdc 100644
--- a/templates/html.tpl.php
+++ b/templates/html.tpl.php
@@ -5,7 +5,7 @@
<title><?php print $head_title; ?></title>
<?php print $styles; ?>
<?php print $scripts; ?>
-<!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
+<!--[if lt IE 9]><script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
</head>
<body class="<?php print $classes; ?>"<?php print $attributes; ?>>
<?php print $page_top; ?>
This also has: c.innerHTML= sink.
With further vulnerable code residing here: htxps://p2.zdassets.com/assets/node_pubsub_2-ef78063b19ef2b1324218ba36b836bff.js
This means that the address is available and that you can claim it at htxp://www.zendesk.com/signup/
Site was earlier vullnerable to Heartbleed and still is not secure in the eyes of Netcraft’s report,
see: http://toolbar.netcraft.com/site_report?url=https://p2.zdassets.com (risk 2 out of 10!)
Just some personal musings here about insecurities we could detect via cold reconnaissance 3rd party scanning, issues I have just skimmed while going over the site’s code source to help awareness.
and naturally I won’t go into any particulars.
What is helping to solve such an insecure situation is the right server and CMS updates and patches, implementation of the right “HTTP Header Security” configuration and a decent check to prevent input manipulation, aka input validation.
Without these issues addressed the website could become prey to attacks any moment.
polonus