DreamHost Also Distributing Outdated Web Software Through One-Click Installer

When it comes to improving the poor state of the security of websites, web hosts certainly could be doing things over and above what is their responsibility to help with that. But at this point we are finding that they are still failing to do some things that really are their responsibility. One of those being not offering to install software on websites that is outdated and insecure. In May we discussed an instance were a web host told the owner of a hacked website that the outdated version of Joomla they were using, 2.5.28, was a security weakness while still offering to install that through the MOJO Markeplace service. Support for that version of Joomla had ended almost two and half years before, so it should have long been removed from such a service. Earlier this week noted another similar service used by web hosts, Softaculous, was still also offering to install that version of Joomla as well.

While working on a website hosted with DreamHost we checked to see how they were doing in this regard. The good news they are not offering to install that version of Joomla. The bad news is that the version of Joomla they are installing is an outdated and insecure version, 3.6.4:

That version was superseded by 3.6.5 in the middle of December and that version was a security update. There have been three security updates released since then: 3.7, 3.7.1, and 3.7.3.

Of the other software that they offer that we deal with a regular basis most of it is also outdated and insecure.

They offer MediaWiki 1.26.3:

Version 1.26.4, which includes a security update, was released last August and version 1.26.x reach end of life in November.

They offer phpBB 3.0.13:

Version 3.0.14, which includes a security update, was released in May 2015 and version 3.0.x reached end of life in November of that year.

The offer Zen Cart 1.5.4:

That was superseded by version 1.5.5 in March of last year. If Dreamhost hadn’t added the security patches released for version 1.5.4, then that version would have been a security update over what they are offering as well.

Leave a Reply

Your email address will not be published.