Model Mayhem continues to struggle with problems of their own making

Model Mayhem is still running nginx version 0.6.34, a version specifically labeled as vulnerable.

Model Mayhem's downtime graph

No site operators want to see a downtime chart like this one on the right. Model Mayhem has been down 26 times for close to 3 hours in a 24 hour span. General manager Michael Egan posted yesterday that one of the reasons is “We have some stinkin IP from Senegal hitting us at an atrocious rate – blocked that.”

But is that enough? Many will remember the site was hit with a massive DDOS attack 11 months ago causing the site to go offline for over a day and struggling to perform for over a week. Members were told Internet Brands was putting many measures in place to prevent that kind of exploit from occurring again.

It’s recently come to light that one security measure the site did not implement may have been the easiest. On November 24, 2009, the National Vulnerability Database sponsored by the Department of Homeland Security’s National Cyber Security Division issued an alert warning of several vulnerabilities in older versions of Nginx making sites running those versions vulnerable to DDOS attacks via long URI. Now 11 months later, Model Mayhem is still running nginx version 0.6.34, a version specifically labeled as vulnerable. The nginx version number is not exactly privileged information. Anyone running Safari or Firefox with Firebug can easily get that information from the site header as this screenshot shows. Oddly, another one of the servers Model Mayhem uses is running a current version of nginx. If you go to http://mms.ibsrv.net/, you’ll clearly see they are running nginx/0.7.65 so it’s unclear why the main site would be running an older vulnerable version. Whether by oversight or design, the site is still vulnerable.

Model Mayhem header
Model Mayhem's Nginx version number is publicly available information