Jump to content

False positive Kindling.org.uk

Ed_W

By Ed_W
in Website Blocking

 Share
Go to solution Solved by JPopovic,

Recommended Posts

roblog

roblog

Posted
Posted

Hi, I am the web developer for the Kindling.org.uk site and I can confirm this is indeed a false positive. There was a problem back in June, which was initially picked up by BitDefender, but the problem was isolated and patched up. The phishing PDFs shown by @JPopovic are not hosted on the website, and never have been. Actually what was happening was that bad actors were exploiting a vulnerability on the site, to serve the phishing PDFs via third party servers, using the Kindling site as a conduit, and giving the illusion that they were being served by us.

So from the above it looks like the site served the 662ed039c91cc7a39fd297ac_nixitilikibijadeze.pdf file recently but I can see from the server logs that the following URL was accessed around 5.00pm yesterday:

https://kindling.org.uk/vegboxpeople/location?event_link=https://assets.website-files.com/6600046b179511a6698c8268/662ed039c91cc7a39fd297ac_nixitilikibijadeze.pdf

The "event_link" query parameter is used to redirect people from the Kindling website to a specific page on the website of another project associated with the Kindling Trust, but in this case the user has been supplied with a url which redirects to a phishing PDF located on the assets.website-files.com website. However, if you "curl" the full Kindling.org.uk URL above you will see that the PDF is not served, and instead the website supplies an "Access denied" page.

This is because the problem was fixed in June, so the redirect code only works if a legitimate link to the site of the project associated with the Kindling Trust is included in the "event_link" query parameter.

Please test the link yourself and whitelist the kindling.org.uk domain once you are satisfied. Yours .. Rob Squires

Link to post
Share on other sites
  • Staff
JPopovic

JPopovic

Posted
  • Staff
Posted

Thank you for your detailed explanation. It’s clear that your team has taken steps to address the issue by ensuring that any URLs related to phishing content now return a 403 status.

To help us proceed, could you provide any additional evidence or documentation showing that the vulnerability has been completely addressed?

Once we receive this confirmation, we will review the information and proceed with removing the block.

Thanks

  • Like 1
Link to post
Share on other sites
roblog

roblog

Posted
Posted

Hi Jovan, I'm not sure what else you need / want me to say? The exploited code which is now fixed is functioning on this page: https://kindling.org.uk/Calendar

If you hover on some of the calendar links you will see some of them (not all) contain the "event_link" query parameter. You will also see that all the URLs in these links go to the www.vegboxpeople.org.uk website, which is a project created by the Kindling Trust. As of the fix back in June, any url contained in the event_link parameter that is not to www.vegboxpeople.org.uk will return the 403, so there is no chance of it being exploited any more.

Cheers

Link to post
Share on other sites
roblog

roblog

Posted
Posted

Hi again Jovan, we have simplified the code on the https://kindling.org.uk/Calendar page of the website since the event_link redirect functionality is now redundant anyway. Instead the Kindling site now provides a straight forward link to the www.vegboxpeople.org.uk website, without a query parameter that can be abused.

Any attempt to access a https://kindling.org.uk/vegboxpeople/location page, regardless of the query parameter will now return a 404 page not found.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.