One of the most basic measures for keeping websites secure is to keep software running the website up to date, this is something that web hosts know and tell their customers. Unfortunately, many web hosts don’t seem to feel that they need to heed their own advice and run out of date software on their servers. This put their clients at risk of being hacked though exploitation of a known vulnerability in that software. Web hosts use of outdated software also a warning sign that they may not be handling the rest of the security properly as well.
When we do work on a client’s website we do a check of what version of some common software (PHP, MySQL, phpMyAdmin, etc.) is running of the server. This is partly so that we can see how well web hosts are doing at keeping that software up date and also so that we can alert the clients when severely out of date software is in use. We were recently doing work on a website hosted with Netfirms and we found that the server was using over seven years out of date version of phpMyAdmin, 2.8.0.1:
That version was released on March 8 of 2006 and the next version, 2.8.0.2, was released eight days later. phpMyAdmin provides a page that provides a listing of all security announcements for the software (something that other software developers should also be providing). Based on just the announcements for 2006 and 2007, the version of phpMyAdmin Netfirms is using probably contains 16 serious severity security issues and 1 considered “quite dangerous”.
If you want to check if web hosts you or your clients use are running an outdated version of phpMyAdmin you can check with our phpMyAdmin Version Check extension, which is available for Firefox and Chrome.
It is not just phpMyAdmin that Netfirms doesn’t keep up to date. They are using PHP 5.3.13, which is over a year out of date and also has known security vulnerabilities (including ones that were fixed in the very next release).
Amazingly the fact that they have some pretty obvious security problems hasn’t stop the security company SiteLock from declaring that Netfirms is secure, as can been seen in the footer of Netfirms website:
I’m with netfirms, a company bought by EIG, along with a slew of other companies. They straight-up do not care, and their support has no idea what anything is. This is one company you need to avoid.