The federal Office for Information Security in Germany (BSI) together with the “Fraunhofer SIT” and “]init[ AG” released a study on the risk with common content management systems (CMS) for websites. A CMS is typically used to administrate websites and helps to update text and other content in a simple way, making this task doable for non-IT professionals. Unfortunately, it is also often a focus point for attackers who attempt to gain access to the Web server. When an attacker controls the CMS, it is possible for them to modify the website. In the past, many websites have been compromised through vulnerabilities in un-patched CMS and were then turned into drive-by download sites by inserting malicious iFrames into the content. For example, you might remember the Lizamoon case last year that resulted in a few hundred thousand websites being compromised by an SQL injection attack.
The studies’ main focus lies on the open source content management systems Drupal, Joomla!, Plone, TYPO3, and WordPress. The number of different vulnerabilities publicly disclosed for these systems were analysed and counted. On average, 76% of all identified vulnerabilities were located in extensions or add-on modules that can be installed on top of the core package of the application. Administrators often forget to update add-on modules as well whenever the main system is upgraded, thereby leaving them vulnerable. Nevertheless, people should not resign from using add-on modules as they can offer important functionality. For example, not all CMS have a password brute-force protection, like a delay or CAPTCHA. This can be added by extensions and will definitely help against attackers who scan the Internet for users with weak passwords.
Figure 1. Location of the vulnerability in CMS
If we take a look at the vulnerabilities distribution by type, as shown in Figure 2, then we see that cross-site scripting (XSS) accounts for the most common vulnerabilities with an average of 65%. However, code execution with an average of 41%, and SQL injection with an average of 34%, are also quite common. SQL injection has been on the OWASP Top 10 Web vulnerability list for years and information about mitigation strategies for such vulnerabilities is widely available.
Figure 2. Vulnerabilities by type
One of the main conclusions of the study is that a CMS should never be run in its default configuration and should be upgraded whenever newer versions become available. Sometimes changing the administration folder is enough to deceive your average script kiddies and prevent them from accessing the system as they are more likely to go after the low-hanging fruits that they can find with their scanners. Of course security by obscurity is not the solution. Therefore Symantec recommends that when you use a CMS, you integrate it into your patch process and subscribe to vulnerability warnings for the corresponding software.