Two weeks ago we posted about FatCow was running an over six years out of date version of phpMyAdmin on their servers. In the post we mentioned that was the most out of date software we had seen in a long time, but that dubious distinction has now been taken by 1&1 and the nearly sevens years out of date version of phpMyAdmin they use. They are running phpMyAdmin 2.6.4-pl3, which was released on October 22, 2005. The subsequent version, a security update, was released on November 15, 2005.
1&1 tells their customers it is important to keep software up to date to avoid being hacked:
One way to avoid attacks, is to make sure to keep your programs
and scripts up-to-date. Check regularly for security warnings and
make sure to install security patches as they become available.
They obviously don’t listen to their own advice, but they do claim that they do:
1&1 system administrators work hard to make sure that our 1&1 servers are protected from known vulnerabilities by keeping all programs and services up-to-date with.
phpMyAdmin provides a page that provides a listing of all security announcements for the software (something that other software developers should also be providing). In 2005, there were three serious security vulnerabilities found that probably impact the version of phpMyAdmin 1&1 is running. The version probably contains most, if not all, of the 16 serious severity security issues and 1 considered “quite dangerous” fixed in 2006 and 2007, that we counted that impact in the version used FatCow. And the version probably contains more vulnerabilities that were fixed in later years.