Vulnerability in Meteotemplate
What is Meteotemplate?
Meteotemplate en a software packageor template, which hundreds of amateur weather stations around the world use to create comprehensive and eye-catching web pages with weather data.
My weather station sends its data to the internet, for several years now with the help of a Raspberry Pi, WeeWx open source software, and the Meteotemplate template.
I recently discovered while analysing data from the eMariete.com server that was receiving rather suspicious traffic. I looked into it and discovered that the problem was in Meteotemplate.
Meteotemplate has an open redirect vulnerability (technically called CWE-601 [ URL Redirection to Untrusted Site ('Open Redirect') ]) which makes "the bad guys"can use it to committing their misdeeds (mainly attacks of phishing, but is usable for many more types of attack and traffic and link masking).
The CCN-157548 vulnerability
CCN-157548 is the code given for this vulnerability in the vulnerability catalogues with which the cybersecurity companies.
This vulnerability (of type ‘Open Redirect‘) what allows the attacker to construct a URL with a given format which, apparently, points to a completely normal and legal website, but when the user clicks on it, he/she is redirected to the website of the attacker's choice..
Exploiting a vulnerability like this greatly simplifies phishing attacks, since it the name of the server in the manipulated link is identical al of the site "legal"which makes the links have a harmless appearance.
The link may contain a parameter for the web application to redirect the request to the specified URL. By modifying that URL, which points to the malicious site, an attacker can successfully run a phishing scam and steal the user's credentials.
Open redirection, or Open Redirect, is a bug in this programmewhich allows attackers to redirect users to malicious websites.
An example of exploitation of this vulnerability would be where the attacker, in order to impersonate your bank, creates a link like https://tubanco.com/entrar and when the user clicks on it is redirected to the web page that would like to the attacker.
If our website https://myweb.com/enter is vulnerable, the bad guy create a URL such as https://myweb.com/enter/redirect.php?https://elsitiodelmalo.com so that, when our unwary surfer clicks on the link, believing that he will come to our website, actually go to the website of the bad guy (which can be passed off as for ours) and request data from the user, for example.
How to fix the Meteotemplate vulnerability?
When I discovered the vulnerability on 8 June 2020, I reported it in the official Meteotemplate forum in the hope that JachymThe creator could fix it, but, unfortunately, he did, there was no responseI have not received any comments, neither from Jachym nor from any other user (it seems that Jachym has deleted my post).
A month and a half later, the 21 August 2020I insisted again, adding more information, which I had discovered, and publishing a list of affected sites, so that they could see that there were thousands. There was no response either.
On 25 August I opted for make it public in Meteoclimaticwhich is the largest forum for meteorology enthusiasts in Spainand where many of them use this software. They immediately paid attention and in less than 24 hours, the user jmviper published the code of redirect.php, which you can see below, fixing the vulnerability in Meteotemplate.
The impact on SEO
What is SEO?
SEO (Search Engine Optimisation) is the science/art of optimising web pages for search engine positioning.
The aim is to ensure that when a user searches for something on Google, or any other search engine, the page appears in the results. as high as possible.
What you have to keep in mind, is that for Google the most important thing is to resolve the search intent of users.
But how does Google determine which pages should be put first in the results?
Logically, Google has many things The search results are taken into account when deciding which pages to include in the search results and which pages to put first in the search results.
Of course one of the most important factors is the content of the pages, in addition to the title of the pagebut, in addition, to know which pages are of genuine quality and may appeal more to users, it is based on other signals which can be positive or negative how:
Positive signals for Google
These are the ones that indicate to Google that the page can be interesting, like users and resolve search intent.
- What other sites link to this one? If many other sites link to this one, it may mean that its content is important.
- What is the subject matter of the pages that link to this one? If the pages linking to it are of the same subject matter as the question, the content is more likely to be relevant to the user.
- What is the reputation of other sites linking to this one? It is not the same to link to the page Perico el de los palotes (I am referring to a page without any importance, with little content, to which almost nobody links, etc.) as it is to link to a page that is not linked to by a major newspaper or an authoritative website (especially if it is of the same subject matter).
Negative signals for Google
Just as Google takes into account these signals, which tell it that a page has this "prestige"There are other signs that tell you that the page may have a bad, uninteresting, unoriginal content (copied from other sites) and even that their content that is dishonest or outright illegal.
- Does the page receive links from suspicious sites? If the page receives links from porn sites, illegal sales, sale of illegal products, etc. it is more than possible that Google will penalise this page. and that it does not appear in the search results (even if its content is completely clean, legal and correct). After all, Google likes its results to be suitable for all audiences (even if it is trying to meet the search intent of those who want something else).
- Does the page have frequent syntactic, concordance, or similar spelling errors? This may indicate to you that your content is of low quality, that it has been automatically generated or translated.
- Is the page updated frequently? Google likes pages that are updated frequently and have fresh contentas well as the majority of users.
What Google sees
If our site is exploitable by such a vulnerability, it will soon many cybercriminals will use it to redirect users to other sites, creating multiple links on many sites, forums, pages of all kinds, advertising, etc. by creating links such as https://myweb.com/enter/redirect.php?https://elsitiodelmalo.com
It should be borne in mind that cybercriminals, in many cases, use automatic tools to create these links, so it will be normal for our website to receive hundreds or thousands of malicious links in a very short time.
What Google will see is that many sites dedicated to sex, malware, phishing, illegal activities, etc. link to our site, it won't like it.our friendships"and can penalise our page for this by causing the page not to appear in the search engine results (or at least not in the top positions).
Actual Google penalty data
In the following table we can see the data of probability of penalty by Google, as calculated by the tool MOZon websites using Meteotemplate.
I have limited the list to sites that have a higher chance of 50%, there are many more with lower values.
For privacy and security reasons I have removed part of the URL.