Re: URL:Mal FP report

[REDACTED]

Hello, I have a false positive, the same problem in demolandia[.]net can you help me, please? I can not see my website, why is blocked?


Thank you very much.

[Pondus]

Hello, I have a false positive, the same problem in http://www.demolandia.net can you help me, please? I can not see my website, why is blocked?


Thank you very much.

How to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[REDACTED]

Thank you very much Pondus

[polonus]

I see no direct IP issues because of Strato AG abuse: http://urlquery.net/report.php?id=1488131349624
You should wait for an Avast Team Member to react here. We are only volunteers with relevant knowledge and cannot unblock.
You also have persisten DNS issues (dispersion) with nameservers: http://www.dnsinspect.com/demolandia.net/10033371

pol

[DavidR]

Considering HonzaZ (avast virus labs I believe) edited the active URL in the OPs post, there may be more to this than a  false positive.

That said, I have just visited the site and no avast alerts.

[HonzaZ]

Funny story I am in the process of reinstalling windows on my PC at home, but I got a notification, so I broke the link to be not clickable and split the topic (previously this was glued to a 2014 topic). However, I have no access to internal tools yet, so I didn't even bother replying.
I tested it now and I do not get any popup either, so I guess there is no issue now... To be sure though, I will have to check from work tomorrow!

[DavidR]

Thanks, I did wonder why there was just a broken link and no response

[HonzaZ]

It seems like demolandia[.]net was never blocked... If you still have issues, please attach a printscreen of the detection

[polonus]

Good that website never came blocked, so is neither malicious nor suspicious.

Apart from the nameserver issues I mentioned and that should be taken up with Strato Berlin,
there are still some issues that need attention as they came up froma minor third party code audit.

It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):

qtrans_front_language : en

Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Website  may be also vulnerable to Clickjacking.It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

1 retirable jQuery library: http://retire.insecurity.today/#!/scan/063487abe7b7b732fcc8cd349bdc678ac41ab6097e435d713cb4c2cc31c6e849

1 script flagged on SRI report: https://sritest.io/#report/555550f1-65f6-4de6-a464-444a38951a95

Sources and sinks to consider here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.demolandia.net

CMS seems to be configured neatly and fully patched and updated.

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

Good that website never came blocked, so is neither malicious nor suspicious.

Apart from the nameserver issues I mentioned and that should be taken up with Strato Berlin,
there are still some issues that need attention as they came up froma minor third party code audit.

It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):

qtrans_front_language : en

Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Website  may be also vulnerable to Clickjacking.It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

1 retirable jQuery library: http://retire.insecurity.today/#!/scan/063487abe7b7b732fcc8cd349bdc678ac41ab6097e435d713cb4c2cc31c6e849

1 script flagged on SRI report: https://sritest.io/#report/555550f1-65f6-4de6-a464-444a38951a95

Sources and sinks to consider here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.demolandia.net

CMS seems to be configured neatly and fully patched and updated.

polonus (volunteer website security analyst and website error-hunter)

Thank you very much for the security test. I have updated my jquery version to the last version and I'm trying to solve the other problems.

Regards!

[polonus]

Hi JuanJo29,

You are more than welcome,

Skimming over part of that particular script of the source code in the main page I meet the following script errors with an unpacker:

[script] -pagead2.googlesyndication dot com/pagead/js/adsbygoogle.js
     info: [decodingLevel=0] found JavaScript
     error: line:18: SyntaxError: missing ) after argument list:
          error: line:18:
          error: line:18: ^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <script async src="-/pagead2.googlesyndication dot com/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle" style="display:inline-block;width:300px;height:600px" data-ad-client="ca-pub-5072451624715859" data-ad-slot="1344587844"></ins> <script>(adsby
          error: line:3: ..............^
     file: e3d539db5c0e7cf90599f71db9753d16b6b3c5da: 7257 bytes

Various undefined like - undefined function e  undefind variable n in wp includes code, similar where the SRI hash has not been generated for. Could be after you have modified.You will need to save the data in line 3 (highlighted). I see you have updated the vulnerable jQuery already.

I wish everybody would be so apt to react like you did, we would have a much more secure infrastructure by now.

Well done and stay safe and secure both offline as well as online. Nice to have met you here.

polonus (volunteer website security analyst and website error-hunter)