Out-of-date Software Affects Websites Big and Small
Last week we published an article listing some big and popular websites that were leaking information about their users via the Apache server-status page. We also published a full list of sites that had this option enabled on our Labs project: URLFind.org.
On URLFind, we list a lot more details than just the sites that have server-status enabled. You can easily find sites that are running outdated versions of WordPress, Joomla or even vBulletin. We also index sites that are still running PHP 4 (outdated and not supported) and other potentially unsafe configurations and servers.
Message to all webmasters
After we published the blog post with the server-status issue, almost all of the sites got fixed (well, excluding Staples and Ford), which I don’t think they would have without that small push (walk of shame).
We are hoping that by shedding a bit more light to this already publicly exposed dilemma, webmasters will take note and update their sites and servers as soon as they can.
Outdated List #1: WordPress (below 3.0)
WordPress 2.9.2 was released in early 2010 and that was the latest 2.x version. Since then, many security vulnerabilities have been fixed on WordPress, but still thousands of web sites are running 2.x, including some popular ones (according to Alexa):
#alexa rank, site 3549,intercambiosvirtuales.org 5702,deutsche-startups.de 7248,xbmc.org 8336,zero10.net 8645,adultbay.org 10633,afilio.com.br 10804,tweetadder.com 11404,animetake.com 11556,webappers.com 12132,wopus.org 12886,daneshju.ir 12927,ftalk.com 13412,scribecontent.com 13833,conversaafiada.com.br 13946,watchseries-online.eu 15175,pinoyexchange.com
We identified more than 6,000 sites in there. Full list: URLFind WordPress Generator.
If you want the really shameful ones, search for WordPress 2.8 and below, which even includes many sub-domains from marthastewart.com (running 2.8).
WordPress 2.9.2 2144 sites WordPress 2.8.4 1160 sites WordPress 2.9.1 640 sites WordPress 2.7.1 599 sites WordPress 2.8.6 511 sites WordPress 2.7 370 sites WordPress 2.5.1 240 sites WordPress 2.8.5 233 sites WordPress 2.8 184 sites WordPress 2.9 162 sites WordPress 2.6.2 141 sites WordPress 2.6.3 121 sites WordPress 2.6 119 sites
Outdated List #2: PHP (4.x)
PHP 4 reached EOL (end of Life), many years ago (2008), but some people are still using it, and disregarding numerous security issues in there.
Full list (more than 15,000 sites): URLFind Powered by PHP 4
PHP/4.4.9 6919 sites PHP/4.3.9 1676 sites PHP/4.4.7 771 sites PHP/4.4.8 670 sites PHP/4.3.11 569 sites PHP/4.4.4 561 sites PHP/4.4.2 483 sites PHP/4.3.10 407 sites PHP/4.4.4-8 393 sites
Outdated List #3: IIS/4
IIS/4 is just ancient. Nobody should be running it or even getting close to it. However, 55 sites still are. And some of these are quite popular websites according to Alexa:
15765,kabu.co.jp 22186,hotelrooms.com 61849,myibidder.com 82299,crucerosnet.com 87892,tickerbar.info 122857,thefemjoy.com 153281,postbillpay.com.au 155421,pegperego.com 164352,pure-femjoy.com 166017,isu.org 228420,theadnet.com 250840,sapa.org.za 254470,writersservices.com
Full list of IIS/4 sites: URLFind IIS/4
Outdated List #4: Apache 1.3
Apache 1.3.42 (latest 1.3.x version) was released in Feb/2010 and it is not supported any more. We couldn’t find any major security issue in 1.3.42 version (besides a mod_proxy information disclosure), but running software that is not maintained for years deserves a spot in the outdated list (specially if you are running anything below 1.3.42).
Full list: URLFind Apache 1.3.42
Apache/1.3.42 7024 sites Apache/1.3.41 4477 sites Apache/1.3.37 1939 sites Apache/1.3.34 1255 sites Apache/1.3.33 1082 sites Apache/1.3.27 765 sites Apache/1.3.39 471 sites Apache/1.3.29 405 sites Apache/1.3.26 322 sites Apache/1.3.31 267 sites Apache/1.3.36 115 sites Apache/1.3.28 80 sites
And yes, that’s more than 20,000 sites listed in there.
Tip of the iceberg
This is just a shortlist of issues we have found. We could have added sites running Joomla 1.0, Vbulletin 3.8.x, Apache 2.2.1x and many other variations. The goal is to warn webmasters that they need to watch their servers, and keep them updated and running securely.
Incoming search terms