Sucuri reports outdated server software on UK online shop Kapow Toys. As a registered customer on the said site I wonder could there be any security risks related to this finding?
Outdated software should always be considered as a risk.
Especially when it comes to server/website software.
Updates address mostly two things.
- Security fixes
- Support for newer standards (protocols, html, php etc).
One other thing is that i just noticed sometimes when I go visit Kapow toys site, link “c.go-mpulse.net” appears on Noscript website domain list. I personally have no idea what that would be, but it has some hits on Virustotal…
https://www.virustotal.com/en/domain/c.go-mpulse.net/information/
Hi Pernaman,
Old code → -http://media.kapowtoys.co.uk/js/87baa278cc7a13254062ffccb1b52894.js
and Prototype JavaScript framework, version 1.7 with issues.
We see the NoScript alerts and any other script blocker like uMatrix for instance for www.kapowtoys.co.uk for external links to htxp://s7.addthis.com/ that is prevented from loading by default (could lead to ads - pop-up adware etc.)
Here: Script loaded: -http://s7.addthis.com/js/300/addthis_widget.js
& -http://s7.addthis.com/static/menu.f69da47d305e6f24c64c.js
Script loaded: -http://m.addthis.com/live/red_lojson/300lo.json?9ug8tk&colc=1452673391163&si=5696096e71225ed8&uid=5696096fe3bbf8c1&pub=ra-56617886949baab4&rev=v4.1.2-wp&jsl=35&ln=en&pc=men&dp=www.kapowtoys.co.uk&of=0&uf=1&pd=0&irt=0&md=0&ct=1&tct=0&abt=0<=110&cdn=0&tl=c%3D118%2Cm%3D158%2Ci%3D178%2Cxm%3D278%2Cxp%3D280&pi=1&&rb=0&gen=100&callback=_ate.track.hsr&mk=Selling%20Generation%201%20Transformers%20and%20Action%20Figures.Buy%20Transformers.G1%20for%20sale%2CParts%20and%20Accessories%2CInstruction%20Manuals%2CBooks%2CComics%2CCybertron%2CArmada%2CGeneration%202%2CClassics%2CUniverse%202.0&uvs=5696096e5d3536e1000&chr=UTF-8&vcl=0
Script loaded: -http://s7.addthis.com/static/layers.b1bac13e042a23a22c4c.js
Some versions of prototype.js could be exploitable by XSS. The version here may not be.
66% of the trackers on this site could be protecting you from NSA snooping. Tell kapowtoys.co.uk to fix it.
Unique IDs about your web browsing habits have been insecurely sent to third parties.
On the user log-in page this is 80% for Google.
v1%3a144XXXXXX442714185 Twitter guest_id
I find 9 trackers: www.kapowtoys.co.uk
Google
Google
Google
Facebook
Twitter
media.kapowtoys.co.uk
local.adguard.com
www.mustbebuilt.co.uk www.mustbebuilt.co.uk
HTTP only cookies: Warning
Requested URL: http://www.kapowtoys.co.uk/ | Response URL: -http://www.kapowtoys.co.uk/ | Page title: Home | HTTP status code: 200 (OK) | Response size: 111,919 bytes (gzip’d) | Duration: 1,038 ms
Overview
Cookies not flagged as “HttpOnly” may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the “HttpOnly” flag is missing it is due to oversight rather than by design.
Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):
frontend : aa2510754e3xxxxxxad69861db1e4d5
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.
DNS Issue: Check MX Records for Duplicates
WARNING: MX records duplicates (same IP address):
64.233.165.27: [alt1.aspmx.l.google.com. aspmx2.googlemail.com.]
74.125.68.27: [alt2.aspmx.l.google.com. aspmx3.googlemail.com.]
Although technically valid, duplicate MX records have no benefits and can cause confusion.
Log-in encrypted - communications not encrypted.
Reds only because IP address report is new: http://toolbar.netcraft.com/site_report?url=http://91.192.194.88
So there are some minor issues to be addressed. But as a rule I would wish every site on the world wide webs had a security record like this one… But they have overlooked magento security, a very serious bug in that version that could make attackers could read out all files on that website, that could lead to a session hijack. This should be patched with an upgrade to a later version of the software (2.0). How to? → https://magecomp.com/blog/how-to-install-magento-security-patches/
polonus (volunteer website security analyst and website error-hunter)
I haven’t got into reporting this issue to site owners themselves due to some personal stuff going on lately, but I recieved a quick reply after finally giving a message to shop’s contact email:
Thanks [my name]that was a Magento buy which has been fixed via a patch, its much appreciated you bringing it to our attention, shame the customer who posted it couldn’t
All the best
[shop’s representative’s name]
I think he typed “bug” wrong
Hi Pernaman,
That is one insecurity of the manifold CMS issues on the Interwebs less, so good it has been flagged and mitigated. I found that particular issue because of my Appspector extension in the browser. It alerts for outdated software. Sucuri did give the Magento issue. But as a rule do not flag outdated PHP versions, just the occasional WP and Joomla outdated versions and configuration. I always check at hackertarget.com for outdated CMS plug-ins, misconfigurations etc. They have scanners for WP, Joomla, Drupal, for some of their scans you have to become a member and log-in, but their public scans may reveal the most obvious of insecurities with platforms and websites. Oh, using Scan WP extension in the browser is also revealing towards the plug-ins, themes and technology used.
polonus
@pernaman and all others interested,
When you find such insecurities online, be cautious with these data as these often may not show or represent the actual present real data. Sometimes an admin alters version info to mislead attackers/hackers. A history via a Netcraft website report will give you a better insight of what they did. Once an admin here on the forums renamed his server AWS = Avast Web Server. But attackers have other ways to find out what is really running there with quite some accuracy.
So that is all bad practice, as servers should go “mum is the word to the world” all together and completely, same for vulnerable JQuery libraries. To rename the retirable version and live on in perpetual bliss of no longer being detected, will cause the insecurities will stay with you. This is cheating on yourself and your visitors. Admins that are into such practices should suffer the consequences when management or their boss finds out.
polonus
That’s rather interesting bit of information polonus.
Overall, to my understanding there seems not to be other security quirks on Kapow Toys website besides those you already listed with Magento bug being (seemingly) fixed?
Hi Pernaman,
You are right there and you might have observed by now that website security is an ongoing (learning) process.
Thanks for all your contributions so far, many of which have led us to many an interesting discussion.
polonus
Hi Pernaman,
Your site failed the SRI Test Scan: https://sritest.io/#report/04fc4b00-34a8-4b60-9c79-4031cd0c65e5
Scripts 2 issues
Tag Result
Stylesheets 2 issues
Tag Result
I give this for what it is worth, in this light the site does not get more as an F-Status.
polonus (volunteer website security analyst and website error-hunter)
I’m not familiar with sritest.io so could you givei nfo about what it’s F-Status means?
Hi I work on the Kapow Toys site
So just to reassure
-
We are not using the old version of magento that Sucuri reports.
-
Mpulse is just a performance monitoring tool http://www.soasta.com/performance-monitoring/ we use it to see what the sites performance is for different locations and devices. So for example we can see how the site performs in Mongolia on a mobile phone, if that performance is acceptable. We just use it to sample say every 100th request which why it only appears sometimes. Thats the “c.go-mpulse.net”
-
Thanks for pointing out sritest.io, SRI hashes are interesting idea we will think about implementing it moving forward looks like its moving away from draft status.
You can see our newly updated cookies information here http://www.kapowtoys.co.uk/privacy.html#cookies
Sorry for the delay in replying
Hi Adam Kapow!
Thank you for your reaction an d explanation. SRI security would certainly enhance your security against XSS attacks,
also seen to the nature of your website.
polonus