As well as being CEO of penetration testing specialists High-Tech Bridge, Ilia Kolochenko is also perhaps unsurprisingly a white hat hacker of some repute. Equally unsurprising is the fact that he has warned that security vulnerabilities in leading CMS platforms such as Drupal, Joomla and WordPress are effectively leaving the security door wide open for hackers to walk through.
Kolochenko refers to the threat posed by old plugins, passwords and extensions as being the 'Achilles heel of popular CMS' and for good reason. High-Tech Bridge regularly tests popular CMSs via the ImmuniWeb online penetration testing service and equally regularly, sadly, discovers vulnerabilities therein. It follows a strategy of responsible disclosure, which I'm all in favour of, whereby any vulnerabilities are reported to the vendor with immediate effect but no public disclosure (other than a broad statement without exploitable details) is made for three weeks. This gives the vendor ample time to do something about it, and should encourage those who are a bit slow off the mark to focus attention on a fix. All without alerting the bad guys as to how to create code to exploit the hole.
This is obviously a good thing for all of us, with many Joomla and WordPress vulnerabilities coming to light this way, and being patched before any damage can be done. Unfortunately, black as well as white hat hackers do the research and it's always something of an ongoing race to find the holes first. The difference being that the black hats are increasingly after the more critical vulnerabilities that can be kept quiet and exploited in a zero-day manner. Meanwhile, all too often, the white hats are left with less critical stuff which (while still being worth catching) has less of an impact on the overall security posture of a platform.
Reading between the lines, the truth of the matter is that the vast majority of holes in the CMS code base, whichever platform you look at, have been found and fixed over the years. Kolochenko actually reckons that 99% of exploitable vulnerabilities in core CMS code fall into this category. So, CMS usage is pretty safe now then? Well, yes, but not 100% so and admins are partly to blame here. Weak passwords and password reuse are right up there at the top of the insecurity tree, along with social engineering attacks against CMS administrators. The compromise crown has to be placed upon the head of XSS vulnerabilities in plugins, made effective because of both the previous weaknesses.
"The main weakness in modern CMSs sites today" Kolochenko argues can be found "in the plugins written and supported by third-parties." He explains that it's not WordPress itself that is vulnerable but rather the WordPress plugins "which are often produced by new coders with little experience in security." Yet this serves us up with something of a catch 22 situation as we realise the potential for insecurity via plugins but have little choice but to use them thanks to a lack of required, often quite site specific, functionality that the CMS platform itself has by default. "By exploiting XSS and SQLi flaws in the plugins, the attacker can get at the admin password same as if he were exploiting these vulnerabilities in the core code of the web application" Kolochenko says, continuing "the problem for the internet is that there are so many millions of WordPress and Joomla websites produced and operated by very small companies or individuals with no training or understanding in security." He has a point, with WordPress itself admitting it has more than 33,000 available plugins with a combined total of 747,619,967 downloads. Sod's Law dictates that a number of these will fall into the Kolochenko risk category. These plugin security flaws, through no real fault of WordPress itself, will make the entire WordPress installation insecure.
So, be on your guard when it comes to choosing and maintaining your passwords. Be on your guard when it comes to choosing what plugins you use, and apply as much security due diligence in this area as you would when choosing the CMS platform in the first place. Be on your guard when it comes to social engineering, and ensure that you are up to speed on the latest phishing tactics in order to avoid falling victim. All of these things come at either no cost or a very low cost to your budget. If you have the money to throw at the problem, then consider using the services of a penetration testing consultancy or an online service such as ImmuniWeb.