Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2014
08:10 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CMS Plug-Ins Put Sites At Risk

Content management systems are increasingly in attackers' crosshairs, with plug-ins, extensions, and themes broadening the attack surfaces for these platforms.

Security research and news reports over the past few months are uncovering an increasing number of weaknesses within, and attacks against, the most popular content management systems (CMSs) driving today's typical web properties. Whether it be WordPress, Joomla, or Drupal, these platforms have all been subject to some high-profile flaws and hacks of late, with most of them coming, not from their core code, but from the third-party plug-ins that most administrators use to extend the customization of their sites.

As the far-and-away front-runner in installs, it's only logical that WordPress has garnered the lion's share of attacks. According to a report out last week by Imperva, websites running WordPress were attacked 24 percent more than websites running on all other CMS platforms combined. This is unsurprising, considering that WordPress is run on more than 75 million sites as of February of this year, compared to Drupal's second place with just over 1 million sites. But that doesn't mean that WordPress is necessarily any less secure than other platforms.

"Because it is popular, people investigate WordPress more, and when researchers investigate it more they find more vulnerabilities," says Itsik Mantin, director of security research for Imperva. "If you are using a different platform or just building your own applications, then it is possible you are vulnerable but you don't know it. So you feel more secure, but it doesn't necessarily mean you are indeed more secure."

In fact, the security community often has praise for the developers at Automatic who shepherd the WordPress code base. Ryan Dewhurst, an independent penetration tester and researcher, recently released WPScan Vulnerability Database, a comprehensive database of WordPress vulnerabilities he's collected information about over the years. In spite of his experience cataloguing these flaws, he's got nothing but positive things to say about the WordPress development team.

"WordPress has been around for a long time, and during that time they've had the chance to patch a lot of vulnerabilities and change the way that they develop software in a secure manner," Dewhurst says. "They've got a great team that knows what they're doing, and even though vulnerabilities are still found in WordPress, it is less common for them to be found in their core code."

As he explains, the big problem with vulnerabilities usually comes by way of plug-ins and themes, which are typically written by third-party developers. "This is where you find the most severe vulnerabilities, because these developers have varying degrees of experience within development and security."

On top of that, the attack surface is huge. According to Automatic, the WordPress community has written 33,581 different plug-ins and counting. And it isn't just WordPress that faces the problem of plug-in flaws. This is a universal issue for CMS platforms.

"One of the things that characterizes CMS frameworks is that all the major ones are open-source and are extensible in a way that people tend to add plug-ins, extensions, and modules," Imperva's Mantin says. "It is very hard to control such a large number of plug-ins written by so many different people."

That is why the reports of vulnerabilities, proof-of-concepts and malicious hacks keep rolling in about CMS frameworks. For example, this summer approximately 50,000 sites were hacked using a vulnerability in the MailPoet Newsletters plug-in for WordPress, which provided an opening to inject PHP backdoors onto the sites, according to researchers with Sucuri. And while MailPoet patched that hole, Sucuri reported last week that unpatched versions of the plug-in are still providing a field day for attackers to compromise, not only the affected site, but any other website under the same account. 

More recently, in September, more than 60,000 sites were affected by a cross-site scripting vulnerability in a spam and content moderation module for Drupal called Mollum. The flaw would enable attackers to gain admin access to vulnerable sites. Similarly, last month researchers with Sucuri reported a vulnerability in the VirtueMart extension of Joomla that would give attackers full control of an affected site and database.

The difficulty is that plug-ins are somewhat "unavoidable," says Ilia Kolochenko, CEO of High-Tech Bridge.

"People will always want some specific customized features on their websites that no CMS can provide by default," he says. "Of course from time to time new vulnerabilities in major CMS [platforms] are announced, but they represent the vast minority and are usually quite complex to exploit."

The moral of the story is that organizations must not only be vigilant about updating the CMS framework itself, but also all of the plug-ins used to build out a site. In the same vein, for organizations with a smaller risk appetite, it may make sense to scrutinize which plug-ins and modules are used. Those released by amateurs unlikely to update them may need to hit the virtual dustbin, while others supported by larger development firms may be a safer bet.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11059
PUBLISHED: 2020-05-27
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
CVE-2020-10936
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
CVE-2020-6774
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
CVE-2020-13633
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
CVE-2020-10945
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.