Germany's Federal Office for Information Security performed a security analysis on some of the most prevalent Web content management systems, including WordPress, Joomla and Drupal, and recommended that a CMS never be run in its standard configuration. What was your reaction to their report, and how should enterprises approach CMS security?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question now via email. (All questions are anonymous.)
Organizations of all shapes and sizes use CMS products to quickly and easily organize and update website content quickly and easily. These products are designed to make it simple for non-IT professionals to automate many content management tasks, including publishing press releases, tagging content with keywords and other labels, and cross-linking to related content on the site, all while keeping the site SEO-friendly and searchable.
Unfortunately, many websites are compromised through vulnerabilities in unpatched CMSes. This puts organizations at risk of data loss, as well as having their websites turned into drive-by download sites that host malware by inserting malicious iFrames into the content.
The Security Study on Content Management Systems was produced for Germany's Federal Office for Information Security, or BSI, by Digital Communication and the Fraunhofer Institute for IT Security. It analyzes the security of the five most common open source CMS packages: Drupal, Joomla, Plone, TYPO3 and WordPress. The researchers didn't include a penetration test, but they analyzed the phases of each program's lifecycle, available log settings, data protection measures and other factors to understand how IT managers can improve their website's overall CMS security posture.
Overall, the study's authors found that the CMSes reviewed generally have a good level of security, and they were satisfied with the individual providers' CMS security-related processes, such as the process for fixing vulnerabilities. Unfortunately, the relative simplicity of the installation process leads many users to think that these products can be used without any modification to the default settings and configuration. Websites running a popular CMS with default settings are a prime target for hackers, as automated attacks can be launched whenever a vulnerability is discovered.
One of the main recommendations of the report is that a CMS should not be installed and used in its standard configuration, but instead must be securely configured and continuously monitored and maintained. Important changes that should be made to the standard configuration include setting up nonstandard administrator accounts and using HTTPS for operating both the front end and the back end. The CMS should also be integrated into the patch process and upgraded whenever new versions become available. To stay up to date, administrators should subscribe to vulnerability mailing lists for both the CMS and any plug-ins used. In regard to the specific incident in which attackers exploited WordPress to gain unauthorized access to the database behind the Tango online messaging service, the attackers may well have taken advantage of Tango's use of an outdated version of WordPress to break into their backup database and steal confidential user information.
One predictable finding was that far more vulnerabilities occur in CMS plug-ins than in core CMS code. According to the report, on average, 76% of all identified vulnerabilities located in extensions or add-on modules can be installed on top of the core package. In Drupal, for example, only 5% of all bugs were found in the actual CMS, while 95% were in the plug-ins. Most plug-ins are not written by developers with a security background, so common coding errors are often repeated. This is why cross-site scripting (at 65%) and SQL injection (at 34%) were found to be the most common vulnerabilities. These vulnerabilities are particularly dangerous, given that most CMS-based sites allow user-generated content. While many plug-ins greatly increase the overall functionality of a CMS, only those that provide essential functions should be installed following a security review.
My favorite piece of advice from the report is that IT managers should set aside at least 15 minutes per site, per day to check for available patches, make backups and install patches. If administrators spend time every day checking the sites they run, a lot of basic tasks won't be forgotten or overlooked, thus reducing the window of opportunity for malicious hackers.
This was first published in November 2013