This finnish website infected?

system · 2017-04-28T13:13:04.000Z

Sucuri reports malware for finnish website “Yle Areena”, a website owned by finnish television network. By far I haven’t seen any news information of site being actually infected, and given how the network is probably country’s biggest. Could this be some sort of false positive, if it’s not something that has happened just now?

https://sitecheck.sucuri.net/results/areena.yle.fi/tv

Pondus · 2017-04-28T13:28:46.000Z

areena.yle.fi/awp-assets/generated/bundle.js?checksum=94aebde8f9384075c64d98485c2285add400ad680c8c853debdaaa610b2f5a47

No detection
https://www.virustotal.com/en/file/fe149b7b59f1b1061c36b18a2688c3b85cf2d9cc77d5fe1bd0723ca23538998a/analysis/

polonus · 2017-04-28T14:29:40.000Z

But Redleg’s fileviewer catches it as with possible problems: -1 → -yle.fi/tekstitv/html/P100_01.html
mailmunch and pharmaspam related overflow…

Results from scanning URL: -http://yle.fi/tekstitv/html/P100_01.html
Number of sources found: 6
Number of sinks found: 391

Error in this script detected

found JavaScript
error: line:4: SyntaxError: missing ; before statement:
error: line:4: Results from scanning URL: htxp:/yle.fi/global/sitestat/sitestat.min.js (40 sources and 16 sinks)
error: line:4: ^

Furthermore there is vulnerable PHP: Server: Apache/2.2.22 X-Powered-By: PHP/5.3.10-1ubuntu3.21
https://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-125887/PHP-PHP-5.3.10.html

polonus

system · 2017-04-28T15:29:48.000Z

Thanks again polonus! So apparenty good old not anything directly/visibly malicious but still problems with sites coding stuff? :-\

polonus · 2017-04-28T16:45:54.000Z

Hi Pernaman,

Good I could set your mind a bit more at ease. However the website could improve the security status of their source code somewhat,
I assume. Have a good weekend, my friend,

polonus

system · 2017-04-28T18:01:10.000Z

Not sure though if somethign recent on the site made Sucuri to alarm it, given how last time I tried to scan the site on Sucuri it showed green. ???

polonus · 2017-04-28T21:56:08.000Z

This is what Quttera flags as potentially suspicious: Results from scanning URL: -http://areena.yle.fi/awp-assets/generated/bundle.js?checksum=94aebde8f9384075c64d98485c2285add400ad680c8c853debdaaa610b2f5a47
Number of sources found: 337
Number of sinks found: 441
SyntaxError: missing ; before statement: something with the stream there, e.g. format(‘woff’),url('data:application/octet-stream;base64,
Well to create the blob data → http://stackoverflow.com/questions/16245767/creating-a-blob-from-a-base64-string-in-javascript
or even this tool: https://github.com/atanasovskib/excellentexport/commit/7eab22b00a5732791c8fa293c84bcd870116b07b

What I have seen, I would not be too alarmed. As the code is "same origin"as proper SRI hash is generated, it is secure.
But there are SRI issues but for external script links: https://sritest.io/#report/db16d52a-1890-471f-a97b-c948ed76960a
which gives the website in this respect a D-status only. Active for -https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js
That is all I could dig up for you at the moment. By the way the code flagged as potentially suspicious by Quttera’s was developed in Sweden.

About the risk of the blob database

What’s important is what kind of validation you do, and how you address the threats. Any of the standard mitigations can be made to work, no matter how you decide to store the uploaded file – the important thing is that you understand the risks and select mitigations appropriate that are appropriate for your application.

Quote information credits go to StackOverflow’s D.W. & rook (with data stored in a file you have much more control over it).

polonus (volunteer website security analyst and website error-hunter)

Announcements