GoDaddy Says That Version of PHP for Which Support Ended 3 Years Ago Meets Their Stability and Security Requirements

You would think that if a web host owned a security company they would be better than other web hosts when it comes to security. With GoDaddy that isn’t the case, though that might be explained by the fact that the security company they own Sucuri, seems to be completely incompetent. As yet another example of the security issues with GoDaddy, while dealing with a support issue on a website hosted with them we found that they were making this claim about PHP 5.4 on the Programming Languages page of their control panel on the website we were working on:

PHP version 5.4 is available and meets our stability and security requirements.

Support for PHP 5.4 ended in September of 2015.

To make thing more confusing if you click the question mark icon next to radio selector to use that version of PHP on the page a message box appears that states:

Version 5.4 is no longer actively supported.

So is the first claim inaccurate or do they have really low standards for “stability and security”?

GoDaddy Still Using phpMyAdmin Version That Hasn’t Been Supported for Over Five and Half Years

Earlier this week we revisited a security issue with a web host that had yet to be resolved nearly two years after we first brought it up, but things can be worse than that.

Back in January of 2014 we pointed out that GoDaddy was still using a version of the database administration tool phpMyAdmin for which support ended in July of 2011. While dealing with an issue on a website hosted with them we noticed that they still are running that version, 2.11.11.3. It is incredible that such a big company would be running outdated and unsupported for over five and half years. You have to wonder what less visible security issues also exist in their systems.

While GoDaddy has a number of different types of accounts, according to their listing of what software is running on them all of the account types that include phpMyAdmin provide outdated versions of it. The newest version they are providing with an account type is 4.0.10.14, which is over a year out of date. They also are using 4.0.8, which is over three years out of date. Finally they are using 3.5.8.2, for which supports ended over three years ago.

When looking at this situation we can’t help but think of the GoDaddy’s partnership of with the security company SiteLock. If we were not already aware of what SiteLock actual does, it would seem very odd that they would not have required GoDaddy to deal with this issue long or ended their partnership, as it would highly irresponsible, at the very least, to be involved with a company that you know is leaving their customers insecure in this way.

DreamHost’s Failure to Keep MySQL Updated Blocks Use of Latest Moodle Version

When it comes to the security of websites, keeping the software running them up to date is an important. While web hosts make a point of emphasizing the need to keep the user added software up to date, up to point of often incorrectly jumping to the conclusion that a website must have been hacked due to outdated software, they often fail to their part by keeping the software running the server up to date. In the case of DreamHost, this now not only means that their servers are not properly secured, but also that recent software can’t be used.

The latest version of Moodle, 2.7, requires at least version 5.5.31 of MySQL. This shouldn’t be a problem as MySQL 5.5 is currently the oldest series supported and version 5.5.31 was released 16 months ago. Unfortunately, while we preparing to do a Moodle upgrade for a client hosted with DreamHost we found that they are still on version 5.1.56. Our client contacted them about this and didn’t get any movement on getting this updated. They were not first, as the issue was brought up in May on a thread on DreamHost forum requesting that MySQL be updated. A DreamHost representative replied in the thread before and after that so they should have be aware that it was mentioned.

While the inability to use the latest version of Moodle is of concern, the larger issue is just how out of date DreamHost leaves the software running on their servers. Support for MySQL 5.1 ended at the end of last year, so they have been running an unsupported version for eight months. If they needed to stick to MySQL 5.1 for some reason, then you would expect that would be running the last version of 5.1, but there not. Instead they are running a version that is over three years out of date (5.1.57 was released in May of 2011) and they didn’t update after either of two subsequent releases with security updates were put out (5.1.62 and 5.1.63).

Ars Technica and Cisco Provide Another Example of Bad Security Reporting

On Tuesday we looked at example of the poor state of security journalism. In that case a hack was tied to a specific version of TYPO3, despite fact that websites not running that version of TYPO3 or running TYPO3 had been hacked. There was also the larger issue that no evidence was provided as to how the websites were hacked, which would have been what would be needed to actually tie the hack to a specific version of TYPO3 and would allow people to make sure the protected their websites against it. Just a few days later we have spotted another very similar example worth highlighting. Ars Technica today put out an article “Ancient Linux servers: The blighted slum houses of the Internet” that states:

Now comes word of a new mass compromise that preys on even more neglected Web severs, some running versions of the Linux operating system kernel first released in 2007. According to a blog post published late Thursday by researchers from Cisco, the people behind the attack appear to have identified a vulnerability that has since been patched in later Linux releases that allows them to dish malicious content to unsuspecting people who visit the site.

If you read Cisco’s blog though they only state “it is possible” that a “vulnerability that has since been patched in later Linux release” was the source of the hack, while Ars Technica says that it “appears” to be the case. Here is the relevant section of Cisco’s post:

Attackers compromised legitimate websites, inserting JavaScript that redirects visitors to other compromised websites. All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

That turns out to be less of an issue then the fact that the websites are not even all running Linux, much less the Linux 2.6 Kernel. Some websites provide information on the software running the in HTTP headers served with the page. Our Server Details web browser extension, available for Chrome and Opera, can parse those HTTP headers to provide the details in them and warn for outdated software. Using those headers we started going through the Cisco’s list of compromised websites and second compromised websites. For each we have listed below the first five websites we found not running Linux and what operating system they are running:

Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003
Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Cisco provides no evidence of how the websites were hacked, which is the really important thing to prevent more websites from being hacked. If they had actually determined how it was hacked before jumping to speculation then they wouldn’t have tried to connect this to Linux, which it seems pretty likely it doesn’t have anything to do with. Cisco also has provided no evidence this has anything to do with outdated software, if we were to make an educated guess based on the evidence provide so far we would say it is more likely due to compromised FTP credentials, which could easily be checked for by reviewing the FTP logs for the websites.

We should also note that the use of the Linux 2.6 kernel is does not indicate that website using obsolete software, as distributions including Debian, Ubuntu, and Red Hat still have supported releases that use that version of the Linux kernel.

Kaspersky Lab and Cambridge University Websites Highlight The Poor State of Security

While keeping the software running a website up to date is a basic security measure, as it prevents the website from being exploited due to a known vulnerability in outdated versions of the software, we continue to see that the software isn’t being kept up to date. Our recent look at the stats of our tools for checking web software versions showed that a large percentage of websites checked were running outdated versions of Joomla, WordPress, and MediaWiki. Even websites that you would expect would be taking security seriously are failing to keep the software up to date. We recently looked at companies offering to clean up hacked Joomla websites and found that they were not keeping the software running their websites up to date. All of those companies are rather small, so what about higher profile organizations? The examples below show that even they are failing to do this basic task.

Threatpost

Threatpost is a security news website run by Kaspersky Lab, a major provider of security software. If you visit their website with our Server Details web browser extension you will be warned that the website is using outdated software. Clicking on the icon for the extension will let you know that they are using an outdated version of the nginx web server software:

The Threatpost Website is Running on nginx 0.7.5The next version in 0.7 series of nginx was released in June of 2010 and the last release in the series was released in July of 2011. There have been two security vulnerabilities discovered – and resolved in newer versions of nginx – that impact the version being used, the older one being disclosed in November of 2011.

This isn’t an isolated issue at Kaspersky, in April of last year we posted about the fact that their US website was running an outdated version of Drupal. They are still are running the same outdated version, which is now over four years out of date.

University of Cambridge

The website for the University of Cambridge is running an outdated version of Drupal, with at least one security update missed:

The University of Cambridge Website is Running a Drupal Version Below 7.25The university’s computer science department has a Security Group, which you would expect would want to make sure that the university’s websites is being kept secure, but at this point they are not even doing for their own blog. Their Light Blue Touchpaper research blog is running a very out of date version of WordPress:

Light Blue Touchpaper is Running WordPress 2.9.2That version of WordPress is over three and half years out of date and nine subsequent releases have included security updates.

Checking For Outdated Plesk Installations or InfoRiskToday’s Bad Security

One of the biggest obstacles we see to improving website security is that many of the organizations that should be leading on security are not even taking basic website security measures themselves. One type of organization we see that with is news organizations that cover web security. Previously we discussed several that were running very out of date and insecure versions of Drupal. This time we will use InfoRiskToday, which describes itself as providing “credible, timely information that security leaders can put to use as they craft comprehensive information security strategies”, to highlight a security risk and several tools that we provide that can make detecting it relatively easy.

Plesk is control panel software that runs under a website and permits management of the software on the server and configuring the server. It also has had serious security vulnerabilities that have lead to many websites being hacked (one example being a major hack at Media Temple). The way to remain relatively secure against that sort of thing is to keep Plesk up to date, as should be done with all software. Unfortunately what we have seen is that there are still servers using Plesk 9, for which extended support ended back in June of last year. Since it isn’t supported anymore, if a new security vulnerability was found it wouldn’t be fixed, so Plesk should be updated to a supported version as soon possible to keep it secure.

We have created a pair of web browser extensions available for Chrome that can make checking for such an outdated Plesk installation relatively easy. The first one, Control Panel Login, looks for HTTP headers that indicate that Plesk is in use and when found displays the Plesk logo in the URL bar. Here is how looks when you visit InfoRiskToday’s website:

Plesk Icon Shown When Visiting InfoRiskToday's Website

Clicking on the icon takes you to the standard URL for logging on to Plesk from the website. Our second extension then comes in to play. Control Panel Version Check will display an icon in the URL bar if it detects that a page with Plesk version information is being visited. Clicking on the icon will then display the version information and indicate if it is outdated. In InfoRiskToday’s case you can see that they are still using Plesk 9:

InfoRiskToday is running Plesk 9.5.4

HostGator Using Unsupported Version of cPanel

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of things they should be doing is keeping software on the server up to date as that prevents your website from being exploited due to a known vulnerability in the software.

To make it easier to spot when web hosts are using outdated control panel software we released the Control Panel Version Check extension, available for Firefox and Chrome, back in December. Using it you can see that HostGator is using an outdated version of cPanel:

HostMonser is running cPanel 11.36The version of cPanel they are running, 11.36, has only been unsupported for a week now so the situation isn’t nearly as bad as many of the hosts we highlight for running years out of date software. But what makes it worth highlighting is that on HostGator’s website they say that they provide the “Latest cPanel Control Panel”:

HostGator claims they run the "Latest cPanel Control Panel"The latest version at this point is 11.42, which was released a couple of weeks ago. If you are going to tout that you are using the latest version of cPanel then it is really unacceptable to not even be using a supported version.

In addition to the outdated cPanel, HostGator is using a year out of date version of phpMyAdmin:

HostGator is using phpMyAdmin 3.5.5.0There have been a number of serious security vulnerabilities fixed in subsequent versions of phpMyAdmin.

Go Daddy Still Using phpMyAdmin Version That Hasn’t Been Supported for Two and Half Years

In the past we have mentioned a number of web hosts who were not keeping the MySQL  administration software phpMyAdmin running on their servers up to date. In addition to the risk that directly poses to the websites hosted with them, due to the fact that the web host is running software with known vulnerabilities, it is indication that the web host might not be handling other parts of the security properly either.

Go Daddy is yet another web host who hasn’t kept phpMyAdmin up to date on their system. They are currently running phpMyAdmin 2.11.11.3. Support, including security updates, for the 2.11.x series ended on July 12, 2011. While running software that hasn’t been supported for two and half years is pretty bad, it pales in comparison to other web hosts who we have seen running up to seven years out of date versions. What makes Go Daddy worth mentioning is they promoted that they were using 2.11.11.3 after support had ended.

On the day after support for 2.11.x ended they put out notification about the need to update newer versions of phpMyAdmin to fix several vulnerabilities. The notification reads in part (the emphasis is theirs):

The developers of the popular browser-based MySQL tool, phpMyAdmin, recently released updates to patch multiple critical security vulnerabilities in phpMyAdmin 3.4.3 and earlier. The vulnerabilities could let attackers overwrite session information to bypass authentication, inject malicious code, or perform other actions.

Good news, though. The 2.11.x versions aren’t affected. We use phpMyAdmin version 2.11.11.3, so you don’t need to worry if you’re using our shared hosting. (But, it’s a good time to make sure all your other hosting apps are up to date. For more information, see Upgrading to a New Version of a Hosting Quick-Install Application.)

If you use phpMyAdmin 3.4.3 or earlier on a virtual or dedicated server, you must download and install the patch or latest version.

That shows that Go Daddy was aware that phpMyAdmin could contain security vulnerabilities and that it needs to be kept up to date. Yet they were touting that they were running a version that was no longer supported with security updates.

It does appear that Go Daddy made attempt to upgrade their phpMyAdmin installation around a year ago, as the phpMy Admin documentation on the server is for phpMyAdmin 3.5.5, which was released on December 20, 2012. Other web hosts are able to handle upgrading phpMyAdmin in timely manner, so it would appear Go Daddy has some serious problems if they are not even able to complete an upgrade.

Rackspace’s Bad Security

We have found that web hosts often prominently advertise their focus on security while not actually caring about security enough to even taking basic security measures. Lets take a quick look at Rackspace to see that in action. Rackspace has a whole section of their website dedicated to security. If you look over that you would probably be impressed. Though if look closely you might see warning signs. For example, they have a PDF about their “holistic approach to security” that was written by their Director of Product Marketing. Why is a product marketing person writing a security guide?

You don’t have to look hard to see that Rackspace don’t actually have much concern for security. A really basic security measure is keeping software running up to date. That way the software isn’t vulnerable to known security vulnerabilities that have been fixed in the software. An important component of many hosting services is phpMyAdmin, which allows administration of MySQL databases. If someone can exploit phpMyAdmin they can gain access to the database underlying a website. With that they could collect customer information stored in the database, they could create a new administrator account for a website to gain further access, or do other harmful things. If you believed Rackspace’s claims about their focus on security you would certainly expect they would be keeping their installation of phpMyAdmin up to date. Unfortunately for their customers they don’t:

Rackspace Cloud is using phpMyAdmin 3.4.9.0

The version they are running is over a year and half out of date (as the next version of phpMyAdmin was released in February of 2012). It gets even worse, Rackspace only upgraded to that version after a customer alerted them that they were running an outdated and insecure version of phpMyAdmin and took them six months after being alerted to that to do that upgrade.

According to the information on phpMyAdmin’s security page the version Rackspace is running contains a number of security vulnerabilities. The version they are using is so out of date that phpMyAdmin no longer lists if vulnerabilities impact that version, so it isn’t clear exactly how many there are.

MIT Website Running on Very Outdated Version of Apache HTTP Server

When it comes to website security even institutions that you would think would be among the best able to able to protect themselves get hacked. In January the Massachusetts Institute of Technology’s (MIT) website was hacked on multiple occasions. While that seems surprising itself, what is more surprising is that more than six months after that happened MIT is still not taking care of the security of their website.

With our Server Details web browser extension you can see that MIT is using an outdated version of the Apache HTTP Server to run their website:
MIT's Website is Running on Apache 1.3.41The version they are using is not just a little out date. Support for Apache HTTP Server 1.3 ended back in February of 2010, so MIT should have upgraded to a newer version three and half years ago.

What does it say that even after getting hacked multiple times a major institution is not taking the security of their website seriously?