Unknown_html_RFI_eval on website...

polonus · 2015-07-25T20:56:46.000Z

See: https://www.virustotal.com/nl/url/52b41dd1165fb522cde30438353a1af40b5248c5cd91627ddbcd68bba658bfdc/analysis/1437856355/
/webacappella_tools.js?v=blf → Application: WebAcappella 4.6.12 professional (WIN) #a40 (from untrusted domain:
https://sanet.me/.../intuisphere_webacappella_e_com)…Troj/JSRedir-OI there?
Severity: Suspicious
Reason: Detected suspicious function call.
Details: Detected suspicious PHP call: exec( _str )
Offset: 8429
Threat dump:

  [[= _o.parser[ _o.strictMode ? "strict" : "loose" ].exec( _str ),   _uri = {},   _i = 14;   while ( ]]

Threat dump MD5: 7DD243F61BBD937E0CF72014FD9DDEF0
File size[byte]: 9329
File type: PHP
Page/File MD5: 3287E3650492A46BC981501E498AEE00
See: https://asafaweb.com/Scan?Url=cycloclubmerten.free.fr
and http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcycloclubmerten.free.fr&useragent=Fetch+useragent&accept_encoding=
Scan duration[sec]: 0.024000

See: Results from scanning URL:-http://cycloclubmerten.free.fr/jquery.mousewheel.js?v=use
Number of sources found: 38
Number of sinks found: 21

Results from scanning URL: -http://www.webtutoriaux.com/services/compteur-visiteurs/index.php?client=151573
Number of sources found: 31
Number of sinks found: 10

pol

polonus · 2015-07-25T21:23:06.000Z

Netcraft website risk status, 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://cycloclubmerten.free.fr
JQuery version vulnerability: http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003

Security header scan:
X-Frame-Options

Uh oh! X-Frame-Options does not appear to be found in the site’s HTTP header, increasing the likelihood of successful clickjacking attacks.

Strict-Transport-Security

Uh oh! Strict-Transport-Security does not appear to be found in the site’s HTTP header, so browsers will not try to access your pages over SSL first.

Nosniff

Uh oh! nosniff does not appear to be found in the site’s HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type.

X-XSS-Protection

Uh oh! We didn’t detect any mention of X-XSS-Protection in headers anywhere, so there’s likely room to improve if we want to be as secure as possible against cross site scripting.

Promiscuous CORS Support

Good news! Access-Control-Allow-Origin: * wasn’t found in the site’s HTTP header, so XHR Cross Object Resource Sharing requests are prohibited or should be tuned to cycloclubmerten.free.fr’s desired settings.

Content Security Policy

Uh oh! We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site’s HTTP header, making XSS attacks more likely to succeed.

UTF-8 Character Encoding

Uh oh! utf-8 doesn’t appear to be declared in this site’s HTTP header, increasing the likelihood that malicious character conversion could happen. Maybe it is declared in the actual HTML on the site’s pages. We hope so.

Server Information

Uh oh! Server: was found in this site’s HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site!

X-Powered-By

Good news! X-Powered-By was not found in this site’s HTTP header, making it harder for attackers to know about potential vulnerabilities that may exist on your site!

Cross Domain Meta Policy

Uh oh! Permitted-Cross-Domain-Policies does not appear to be found in the site’s HTTP header, so it’s possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files…

polonus

polonus · 2015-07-25T23:08:23.000Z

Similar vulnerability schemes here: https://www.virustotal.com/nl/url/fdc0c0accfb267d743671f5fa08248925cb7503243a7422da7526bf791b7b47b/analysis/1437864399/
Check: -http://pterrible.free.fr/justerrible/Scripts/iWebSite.js
Website Risk Status 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://pterrible.free.fr
Vulnerable Framework → iWebImage.js → http://security.stackexchange.com/questions/52828/js-code-vulnerable
iFrame attack vulnerability. →
http://www.cvedetails.com/vulnerability-list/vendor_id-6541/Prototypejs.html

polonus

polonus · 2015-07-26T20:25:58.000Z

Update analysis:
Javascript Check → Suspicious

r de connectes → </
N.B.: document.write(‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘></’’ at line 1
Analyze also http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.webtutoriaux.com
Twice: htxp://www.webtutoriaux.com/Scripts/lib.membre.js Render blocking resource as are"
The elements below are blocking the “above the fold” rendering.
The javascript files below are blocking the rendering.
-http://www.webtutoriaux.com/Scripts/jquery-1.7.1.min.js
-http://www.webtutoriaux.com/Scripts/lib.main.js
-http://www.webtutoriaux.com/Scripts/lib.tutoriel.js
-http://www.webtutoriaux.com/Scripts/lib.membre.js
-http://www.webtutoriaux.com/… /jquery.fancybox.js?v=2.1.4 - outdated version, should be upgraded to v=2.1.5
-http://pub4.media-clic.com/www/delivery/afrs.js

Included Scripts check:

Suspect - please check list for unknown includes

htxp://www.webtutoriaux.com/services/compteur-connectes/index.php?client=1599159

External links check on website:
Please check this list for unknown links on your website:

htxp://ffct.org/activites-federales/securite/ → 'la santé, la sécurité, ’
htxp://ffct.org/activites-federales/securite/ → ‘priorité de la ffct’
htxp://ffct.org/activites-federales/securite/ → ‘lien vers le site de la ffct’
htxp://www.ffct.org → ‘’

polonus (volunteer website security analyst and website error-hunter)

Announcements