New year New Hack 2018!

On Jan 4, 2018, GoldJoy Holidays reports that their server has been hacked. It is the second local travel agency company has been hacked in this month so far. The first one is Big Line Holiday which is hacked on Jan 3, 2018.



Big Line Holiday is hosting on their own server which is running Microsoft IIS 8.5 and PHP 5.5.30 with no SSL certificate. On the other hand, Goldjoy Holidays is hosting on web hosting company (the name is unknown to me) which is running Debian Linux, Apache 2.4.10 and PHP 5.6.31. It is believed that Big Line Holiday is running a custom web application while GoldJoy Holidays is running Joomla! Meanwhile, both of them are without security headers.



Today, Jan 5, 2018, GoldJoy Holidays announces that they applied layers of firewall to their website. I curious to know what kind of firewall they applied.



After a quick check, GoldJoy Holidays is now running behind Cloudflare and believed that it is either a free plan or Pro plan. The Cloudflare WAF (Web Application Firewall) may be set to high sensitive and SSL certificate is set. However, the SSL certificate provided by Cloudflare is a share certificate and the IT staff of GoldJoy Holidays misconfigures it. Since the site has no appropriated security headers, it may be affected by MITM (Man-In-The-Middle) attack.



The website of GoldJoy Holidays has several XSS (Cross Site Scripting) vulnerability and several suspected SQLi (SQL Injection) vulnerability. In addition, the website has some other minor problems related to security too. It is believed that the web application is Joomla! 1.5.x.



In my opinion, Cloudflare is not a good solution when your vulnerabilites at your website are not fixed. It will mislead the IT staff or users that your site is secure. Cloudflare WAF can be bypassed. I hope that it is a workaround solution, otherwise, it is still danger.



Reference



[1] Yahoo News

[2] South China Morning Post News

[3] TVB News



That's all! See you.