The popularity of Content Management Systems (CMS) is proving to be a boon for hackers. They no longer have to spend long, hard hours identifying a single target. It’s now simply a matter of ‘dorking’ search engines to find and exploit common security vulnerabilities in the thousands of CMS platforms being relied on around the world.
When a company chooses a CMS to support online transactions, they rarely give thought to the fact that the shopping cart mechanism, for instance, can be easily hacked, resulting in PCI violations and credit card and PII data theft.
But how large is the problem? Very. And one that cannot be ignored. Because, with the introduction of every technological advance, once their popularity hits a certain critical mass, comes the unwanted attention of the cyber crims.
They use a search engine to easily fingerprint websites based on a CMS that harbors a known vulnerability. They now have a much larger surface area to attack, via content such as log-in pages, online carts and web forms. Rather than having to make the effort of drilling into an individual PC, ecommerce site, bank or academic institution, they exploit the vulnerability in multiple CMSs, in many companies, fast.
A petri dish of vulnerabilities
Since the arrival of content management systems some 15 years ago, they have developed from being a centralised way to create, manage, publish and store web content files to providing sophisticated control over the enterprise web presence as content repository for not only text and embedded graphics and photos but video, audio and application code. At the enterprise level, the processes associated with file formats, locations, access, security and integrity are automated and optimised by the CMS.
With thousands of CMSs now on the market - a builtwith.com trend graph shows that over 20 per cent of the top 10,000 websites rely on one; a figure that doesn’t include companies that use a CMS as a middleware between their content and their front end website – hackers have started to explore their inherent weaknesses.
The magnitude of this change can be seen in report by the open software security community, Open Web Application Security Project (OWASP), OWASP of two examples of vulnerable components - the Apache CXF Authentication Bypass and Spring Remote Code Execution – that were downloaded 22 million times in 2011.
The dirty details
- 20 per cent of vulnerabilities discovered in third-party code are found in the CMS core. [BSI in Germany]
- 80 per cent of vulnerabilities are found in plugins and extensions. [BSI in Germany]
- In Wordpress, 7 of the top 10 e-Commerce plugins and 20 per cent of the top plugins are vulnerable to attack. [Checkmarx ]
Data from Web Technology Surveys highlights the percentages of websites using various content management systems. According to the data:
- Wordpress underpins 21.4 per cent of websites
- Joomla! 3.1 per cent
- Drupal 1.9 per cent
But just because a CMS attracts hackers doesn’t mean you can’t protect your business.Assume, rightly, that all third-party code, including the CMS your website is based on, has countless security vulnerabilities. But don’t assume that your software development life cycle will automatically fix these problems, because it won’t.
Specific code authored and owned by someone else cannot be controlled within your environment.
I encourage companies to ‘Dork’ themselves – Google Dorks are advanced searches used to find security loopholes on websites that allow hackers to break in to or disrupt the site - to learn as much as possible from experts who know what the evolving risks are, and what precautions can be taken to protect your data and your business from today’s industrialised hacker.
The OWASP Top Ten lists the most critical flaws web application security. The recent addition of item A9 to the OWASP Top 10 describes the threat of ‘using known vulnerable components’ which recognises the problem of using third-party code and applications (like a CMS) with known vulnerabilities and the weaknesses embedded in them.
Be vigilant. Carefully monitor your applications. Have real-time alerting on your web applications that track against a baseline of behavior so that any anomaly can be promptly investigated. And, patching vulnerabilities, coupled with physical and virtual patching of CVEs, can help guard against security threats.
Barry Shteiman is director, Security Strategy at Imperva