Ed_W Posted September 7 ID:1659623 Share Posted September 7 The site for a local community organisation is being blocked. I believe it is safe. Link to post Share on other sites More sharing options...
Staff JPopovic Posted September 8 Staff ID:1659717 Share Posted September 8 The domain is legitimately blocked. Here is an example of problematic file: https://kindling.org.uk/vegboxpeople/location?event_link=https://uploads-ssl.webflow.com/65eff7204fe6d5377038ebc0/65f7459a2b3938a0a660bf74_savutojo.pdf Link to post Share on other sites More sharing options...
Ed_W Posted September 8 Author ID:1659725 Share Posted September 8 Since I trust the people who run the site, I tried the link. It said I was not allowed access. Presumably on a private part of the site. Link to post Share on other sites More sharing options...
Staff JPopovic Posted September 8 Staff ID:1659727 Share Posted September 8 These files are highly suspicious and detected by several sources. Link to post Share on other sites More sharing options...
roblog Posted September 9 ID:1659943 Share Posted September 9 Hi, I am the web developer for the Kindling.org.uk site and I can confirm this is indeed a false positive. There was a problem back in June, which was initially picked up by BitDefender, but the problem was isolated and patched up. The phishing PDFs shown by @JPopovic are not hosted on the website, and never have been. Actually what was happening was that bad actors were exploiting a vulnerability on the site, to serve the phishing PDFs via third party servers, using the Kindling site as a conduit, and giving the illusion that they were being served by us. So from the above it looks like the site served the 662ed039c91cc7a39fd297ac_nixitilikibijadeze.pdf file recently but I can see from the server logs that the following URL was accessed around 5.00pm yesterday: https://kindling.org.uk/vegboxpeople/location?event_link=https://assets.website-files.com/6600046b179511a6698c8268/662ed039c91cc7a39fd297ac_nixitilikibijadeze.pdf The "event_link" query parameter is used to redirect people from the Kindling website to a specific page on the website of another project associated with the Kindling Trust, but in this case the user has been supplied with a url which redirects to a phishing PDF located on the assets.website-files.com website. However, if you "curl" the full Kindling.org.uk URL above you will see that the PDF is not served, and instead the website supplies an "Access denied" page. This is because the problem was fixed in June, so the redirect code only works if a legitimate link to the site of the project associated with the Kindling Trust is included in the "event_link" query parameter. Please test the link yourself and whitelist the kindling.org.uk domain once you are satisfied. Yours .. Rob Squires Link to post Share on other sites More sharing options...
Staff JPopovic Posted September 9 Staff ID:1659948 Share Posted September 9 Hi, thanks for letting us know. Can you tell us why don't you remove URLs that supposed to redirect users to phishing pages instead of giving them status 403? Link to post Share on other sites More sharing options...
roblog Posted September 9 ID:1659952 Share Posted September 9 Hi. The URLs to the phishing PDFs are not being supplied by our website, but are being provided to unsuspecting victims by the phishers via other means. Link to post Share on other sites More sharing options...
Staff JPopovic Posted September 9 Staff ID:1659955 Share Posted September 9 Thank you for your detailed explanation. It’s clear that your team has taken steps to address the issue by ensuring that any URLs related to phishing content now return a 403 status. To help us proceed, could you provide any additional evidence or documentation showing that the vulnerability has been completely addressed? Once we receive this confirmation, we will review the information and proceed with removing the block. Thanks 1 Link to post Share on other sites More sharing options...
roblog Posted September 9 ID:1659956 Share Posted September 9 Hi Jovan, I'm not sure what else you need / want me to say? The exploited code which is now fixed is functioning on this page: https://kindling.org.uk/Calendar If you hover on some of the calendar links you will see some of them (not all) contain the "event_link" query parameter. You will also see that all the URLs in these links go to the www.vegboxpeople.org.uk website, which is a project created by the Kindling Trust. As of the fix back in June, any url contained in the event_link parameter that is not to www.vegboxpeople.org.uk will return the 403, so there is no chance of it being exploited any more. Cheers Link to post Share on other sites More sharing options...
roblog Posted September 9 ID:1659959 Share Posted September 9 Hi again Jovan, we have simplified the code on the https://kindling.org.uk/Calendar page of the website since the event_link redirect functionality is now redundant anyway. Instead the Kindling site now provides a straight forward link to the www.vegboxpeople.org.uk website, without a query parameter that can be abused. Any attempt to access a https://kindling.org.uk/vegboxpeople/location page, regardless of the query parameter will now return a 404 page not found. Link to post Share on other sites More sharing options...
Staff Solution JPopovic Posted September 9 Staff Solution ID:1659961 Share Posted September 9 The block will be removed. Thank you! 1 Link to post Share on other sites More sharing options...
roblog Posted September 9 ID:1659963 Share Posted September 9 Thank you! 1 Link to post Share on other sites More sharing options...
Recommended Posts