Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Lack of WordPress User Education Affecting Security Posture
Newest First  |  Oldest First  |  Threaded View
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/15/2015 | 3:43:27 AM
Exploits against Wordpress-a quick look
I like the functionality of the wordpress software and use their website for a security blog.  However, I would be remiss in my duties as a security professional if I failed to mention my high concern for the quantity of exploits I see in history for this product.

I went to the Exploit Db, a site which has proven exploits available for penetration testing.  I see a few dozen pages worth of exploits between what I would say is its inception, and the vast majority of which are confirmed.   By most standards that's a large number of proven exploits.  Granted, a properly patched system is not susceptible to most, if not all of those.  Checks for patches would have to be done a very regular basis, though.

If I was running a Wordpress site, I would be huge on keeping that system patched (automatic updates if possible).  I also remember reading a couple months back that a lot of the issues are with plugins.  Me, I'd stay away from them.  A quick scan of the Exploit DB list shows many are plugin-related exploits.

Security Focus is another good site.  That'll should vulnerability information with sample programs and if patches are available.  Very neat stuff.

Stay safe! Andy
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 4:20:13 PM
Re: Treat web services like any system in the enterprise
Totally agree with you @aws0513,.While there are undoubtedly some rogue enterprise-class departments that set up their own Wordpress blogs and such, the majority of users are most likely small  businesses or individuals who have little experience about defending against security threats.Wordpress and other similar platforms should be doing more.Whether it's training, service packages or baking more protections into the product, or all of the above... I'm not sure.
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/12/2015 | 1:15:40 PM
Re: Treat web services like any system in the enterprise
You are correct Marilyn. 

What services like WordPress provide is an easy to implement solution platform... with just enough rope to hang a neophite with.

It is my belief the biggest cause of issues here would be small businesses that may not have the budget or resources to securely manage web services.  Many of them may be startups where only a handful of people are involved.  Small businesses see services like WordPress as an efficient solution that doesn't require an large amount of support overhead.

One has to wonder if the service providers should be providing guidance and training to customers as part of the service package.  Some service providers do have online training, but how much that training may cover in terms of security practices may vary greatly.

Wordpress just happens to be the big guy on the block.  This translates into more customers that can cause more issues with the service.  It is my opinion that other similar services may have similar security issues but these have not bubbled up because there are fewer customers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:27:26 AM
Re: Treat web services like any system in the enterprise
aws0513, your points are well-taken. But given that 44 percent of respondents to the survey don't have a website or IT manager, & 3/4 of them don't have any training in WordPress that enterprise users aren't the real problem.Or am i missiing something?

 
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/11/2015 | 11:09:01 AM
Treat web services like any system in the enterprise
If your organization is using a web service of any kind, it should be handled as if it were an in house solution.
  • What purpose will the web service fullfill?
  • Will regulatory data be posted/stored on the service site?
  • If regulatory data is involved, will the service vendor attest to the location of the service systems and the protections provided to those environments (physical and logical)? Example: If the regulatory data falls under HIPAA, the systems cannot exist outside CONUS?
  • Who will "own" the service on behalf of the organization?
  • Who will maintain the service on behalf of the owner?  Are those people properly trained on how to maintain the environment in a responsible and secure manner?
  • Who will be the stewards of the service in terms of utilization standards and oversight?
  • How will access control to the environment be managed?
  • Is there any separation of duties concerns and/or capabilities with the service to help mitigate internal security risks?
  • Who will manage access control?  Are those people properly trained on the access control processes necessary to mitigate risks?
  • What contingency plans are needed to deal with loss of the service?
  • What documentation processes are necessary?  Who will be responsible for the documentation?
  • What auditing capabilities does the service provide?
  • What liability would the organization have if the service is compromised in any way?  What capabilities will the organization have to conduct investigation of incidents?
  • If there is a publicly accessible portion of the service, how can public relations functions in the organization manage public release activities in the service?
  • Has management accepted any risks identified with the organizations use of the services?

This is just a quick off the cuff list.
I am sure there are many other questions that could be developed in this effort. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/11/2015 | 6:53:25 AM
IT guy
I work with a few Wordpress sites and thankfully there's always someone around to ask if there's a potential problem. I'm glad I'm not managing them though as security headaches are not my cup of tea at all. 

Still, I make sure to practice good security for my end of things and have a monster of a difficult password for each of them. 
gszathmari
50%
50%
gszathmari,
User Rank: Apprentice
3/11/2015 | 5:58:06 AM
WordPress itself can be vulnerable too
WordPress also has its vulnerabilities from time to time. In last November, a critical cross-site scripting vulnerability affected WordPress sites, which could enable anonymous users to compromise a site. 

This article demonstrates a practical exploit of this vulnerability. Be sure you update to 4.0.1, 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...