mail2wickr

1. Hello, I was curious if wickr.me/username was a feature of wickr so that I could easily link it in profiles and stuff. After entering the url, I was brought to an outdated and vulnerable website ran by wickr that seems to have been forgotten about.
2. These are my simple findings after only looking around for a couple brief minutes. Sorry for the low quality report as I'm a bit of a "noob", but I am attempting to get all of the information across to you with this. I think that the wickr.me/username url idea is pretty cool too, like kik's kik.me/username and snapchat's snapchat.me/add/username, etc.
3.  
4. First of all, right in the source it shows debug info and is shouting to the internet that it is running an old and vulnerable version of the theme.
5.  
6. <!--
7. Debugging Info for Theme support:
8.  
9. Theme: Enfold
10. Version: 3.1.5
11. Installed: enfold
12. AviaFramework Version: 2.2
13. AviaBuilder Version: 0.8
14. ML:256-PU:32-PLA:7
15. WP:4.4.19
16. Updates: disabled
17. -->
18.  
19. Vulnerability allows attacker to Rewrite Portfolio Permalink Structure & Information Disclosure
20. security issues that would allow an attacker to export your enfold settings and rewrite the portfolio permalink structure are included in the newest version of the theme which you could update, but updates are disabled for some reason as seen in the source.
21.  
22. Another plugin that may be vulnerable and outdated displayed in source:
23.  
24. <!-- Cached page generated by WP-Super-Cache...
25. <!-- Compression = gzip -->
26.  
27. ERROR LOGS FOUND
28.  
29. includes full path disclosure
30. /home2/theiden1/public_html/
31. and web server logs, information disclosures
32.  
33. http://wickr.me/wp-content/themes/enfold/error_log
34.  
35. ADMIN LOGIN https://wickr.me/wp-admin/
36. ADMIN USER FOUND: yorkwickr-com
37. how? brute forcing the author id.
38.  
39. wickr.me:2082
40. wickr.me:2083
41. CPANEL, web hosting and email http://box746.bluehost.com
42.  
43. wickr.me:8080 and https://wickr.me:8443/ redirects to wickr.com
44.  
45. lastly, https://50.87.238.205/ fails to forward to wickr.com and tries wickr.org
46.  
47. that server appears to be vulnerable to the following CVEs but unconfirmed...
48. Note: the server may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version. Just trying to share everything I can with you.
49.  
50. CVE-2011-5000 The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.
51. CVE-2010-4478 OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.
52. CVE-2014-1692 The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.
53. CVE-2010-5107 The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
54. CVE-2017-15906 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
55. CVE-2016-10708 sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
56. CVE-2016-0777 The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.
57. CVE-2011-4327 ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.
58. CVE-2010-4755 The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
59. CVE-2012-0814 The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
60.  
61. I stopped here but could continue looking further if you'd like? Thank you in advance.