More Needs To Be Done To Protect CMS
The security industry is not doing enough to secure web Content Management Systems (CMS). With the recent attack on WordPress enabled sites hosted on GoDaddy and over 125 exploits released in the month of April for Joomla! vulnerabilities alone, this message is important enough to state plainly. Unfortunately, due to a wide variety of circumstances, this issue is largely not understood by the security community.
This is no small part due t the fact that CMS attacks are often extremely difficult to detect. It is an unfortunate reality that the vast majority of protection products are not capable of honing in on CMS attacks. Rather, most protection products either focus in on the generic web application attack aspects of CMS attacks (or they simply detect nothing). For example, the following published exploit against Lisk CMS (OSVDB-64778) would most likely trigger a broad detection of “SQL Injection” in IPS products and web application firewalls. However, would not, without deeper investigation, allow a security professional to know that the attack was actually aimed at LiSK CMS.
Example (From htbridge.ch)
http://URL/path_to_cp/cp_messages.php?action=view_inbox&id=-1+union+select+1,2,3,4,5,6,7,8,9+–+
While the broad generalization of this type attack string is certainly understandable the question is, is it helpful? On one hand, a generic alert allows a security professional to take immediate action to possibly prevent issues from within their network infrastructure and also allows them to broadly categorize the attack. On the other hand, the alert does not inform the security professional of the underlying issue. Thus, never allowing them to get to the root cause without time consuming analysis. This makes the the collection of metrics on these types of attacks even more difficult. As a result, statistics backed reports rarely, if ever, cite CMS as a growing vector for attack.
Unfortunately, whether strong statistics exist or not, the fact of the matter is CMS is under attack. While most of the major CMS vendors provide some-level of security through research and response processes, frankly the level necessary to secure freeware open-source CMS applications is too daunting of a task for these organizations to tackle alone. It is therefore imperative that the security community, especially the vendor community, better supports CMS security efforts. Until that support is available. Please be ready to receive more E-mails like the one below…