Out-of-date Software Affects Websites Big and Small

Last week we published an article listing some big and popular websites that were leaking information about their users via the Apache server-status page. We also published a full list of sites that had this option enabled on our Labs project: URLFind.org.

On URLFind, we list a lot more details than just the sites that have server-status enabled. You can easily find sites that are running outdated versions of WordPress, Joomla or even vBulletin. We also index sites that are still running PHP 4 (outdated and not supported) and other potentially unsafe configurations and servers.

Message to all webmasters

After we published the blog post with the server-status issue, almost all of the sites got fixed (well, excluding Staples and Ford), which I don’t think they would have without that small push (walk of shame).

We are hoping that by shedding a bit more light to this already publicly exposed dilemma, webmasters will take note and update their sites and servers as soon as they can.


Outdated List #1: WordPress (below 3.0)

WordPress 2.9.2 was released in early 2010 and that was the latest 2.x version. Since then, many security vulnerabilities have been fixed on WordPress, but still thousands of web sites are running 2.x, including some popular ones (according to Alexa):

#alexa rank, site
3549,intercambiosvirtuales.org
5702,deutsche-startups.de
7248,xbmc.org
8336,zero10.net
8645,adultbay.org
10633,afilio.com.br
10804,tweetadder.com
11404,animetake.com
11556,webappers.com
12132,wopus.org
12886,daneshju.ir
12927,ftalk.com
13412,scribecontent.com
13833,conversaafiada.com.br
13946,watchseries-online.eu
15175,pinoyexchange.com

We identified more than 6,000 sites in there. Full list: URLFind WordPress Generator.

If you want the really shameful ones, search for WordPress 2.8 and below, which even includes many sub-domains from marthastewart.com (running 2.8).

Breakdown:

WordPress 2.9.2 	2144 sites
WordPress 2.8.4 	1160 sites
WordPress 2.9.1 	640 sites
WordPress 2.7.1 	599 sites
WordPress 2.8.6 	511 sites
WordPress 2.7 	        370 sites
WordPress 2.5.1 	240 sites
WordPress 2.8.5 	233 sites
WordPress 2.8 	        184 sites
WordPress 2.9     	162 sites
WordPress 2.6.2 	141 sites
WordPress 2.6.3 	121 sites
WordPress 2.6 	        119 sites

Outdated List #2: PHP (4.x)

PHP 4 reached EOL (end of Life), many years ago (2008), but some people are still using it, and disregarding numerous security issues in there.

Full list (more than 15,000 sites): URLFind Powered by PHP 4

PHP/4.4.9 	6919 sites
PHP/4.3.9 	1676 sites
PHP/4.4.7 	771 sites
PHP/4.4.8 	670 sites
PHP/4.3.11 	569 sites
PHP/4.4.4 	561 sites
PHP/4.4.2 	483 sites
PHP/4.3.10 	407 sites
PHP/4.4.4-8 	393 sites

Outdated List #3: IIS/4

IIS/4 is just ancient. Nobody should be running it or even getting close to it. However, 55 sites still are. And some of these are quite popular websites according to Alexa:

15765,kabu.co.jp
22186,hotelrooms.com
61849,myibidder.com
82299,crucerosnet.com
87892,tickerbar.info
122857,thefemjoy.com
153281,postbillpay.com.au
155421,pegperego.com
164352,pure-femjoy.com
166017,isu.org
228420,theadnet.com
250840,sapa.org.za
254470,writersservices.com

Full list of IIS/4 sites: URLFind IIS/4


Outdated List #4: Apache 1.3

Apache 1.3.42 (latest 1.3.x version) was released in Feb/2010 and it is not supported any more. We couldn’t find any major security issue in 1.3.42 version (besides a mod_proxy information disclosure), but running software that is not maintained for years deserves a spot in the outdated list (specially if you are running anything below 1.3.42).

Full list: URLFind Apache 1.3.42

Apache/1.3.42  	7024 sites
Apache/1.3.41  	4477 sites
Apache/1.3.37  	1939 sites
Apache/1.3.34  	1255 sites
Apache/1.3.33  	1082 sites
Apache/1.3.27  	765 sites
Apache/1.3.39  	471 sites
Apache/1.3.29  	405 sites
Apache/1.3.26  	322 sites
Apache/1.3.31  	267 sites
Apache/1.3.36  	115 sites
Apache/1.3.28  	80 sites

And yes, that’s more than 20,000 sites listed in there.


Tip of the iceberg

This is just a shortlist of issues we have found. We could have added sites running Joomla 1.0, Vbulletin 3.8.x, Apache 2.2.1x and many other variations. The goal is to warn webmasters that they need to watch their servers, and keep them updated and running securely.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid