« previous next »
Pages: [1]   Go Down

Author Topic: Malicious SE redirects on website flagged? AOS does not flag!  (Read 2305 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34062
  • malware fighter
Malicious SE redirects on website flagged? AOS does not flag!
« on: August 21, 2016, 04:43:07 PM »
See: http://killmalware.com/remida.ru/
and https://sitecheck.sucuri.net/results/remida.ru#sitecheck-details

Web application version:
Joomla Version 1.5.8 to 1.5.14 for: -http://remida.ru/media/system/js/caption.js
Joomla Version 1.5.9 to 1.5.13 for: -http://remida.ru/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 3.5.1

On that IP: https://cymon.io/195.208.1.134   &   https://www.scumware.org/report/195.208.1.134.html

Avast should detect JS/Redir 

Vuln. in http://www.domxssscanner.com/scan?url=http%3A%2F%2Fremida.ru%2Fmedia%2Fsystem%2Fjs%2Fmootools.js

contradictory to: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fremida.ru%2Fmedia%2Fsystem%2Fjs%2Fcaption.js
Number of sources found: 0
Number of sinks found: 0

Insecure: Аудиторская фирма "Ремида Аудит" padlock icon
remida.ru
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://remida.ru/index.php
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted

See: http://toolbar.netcraft.com/site_report?url=http://remida.ru

polonus (volunteer website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34062
  • malware fighter
Re: Malicious SE redirects on website flagged? AOS does not flag!
« Reply #1 on: August 21, 2016, 05:30:56 PM »
For the DOM XSS scanned mootools script, we should go over: https://searchcode.com/codesearch/view/76380898/

For instance value=document.cookie.match  is depending on the regular expression for matching as a string.match (regexp) will find an array of matches.

example:
Code: [Select]
var cml = document.cookie.match/..../[^;]+(\d{6}\;/)[1] This as we have a sink this.value= and value+=

Where the file manager code is concerned, there is more to skim over, like document.write('<script id = etc.

This just comes to show what we all should take into consideration while going over that code security wise.

As all code comes delivered as fit to use and not completely pentested for security flaws of sorts,
we should leave it here.

I just posted the above just as to describe that  it is not all that easy as one might think of as first,
but I have to admit very, very interesting material.

Oftenthis may be  rather rewarding for those that seek further security,
while the dark hats already have gone over all such flaws to seek their little worm-holes as well.

While on the other hand, this is diminishing these threats enormously:
https://sritest.io/#report/fddc96b0-314b-432f-a450-ece65572ba83  Full A-Status founf.

polonus
« Last Edit: August 21, 2016, 08:07:38 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »