January 18, 2018 by Agnes Talalaev
Web content management is one of the cornerstones of the cyberspace. Strictly speaking, there is much more to managing content than the web, yet the emergence of the web as the key surface of an interface to the cyberspace has led the discussion around CMS security to be connoted to the web in particular.
Web content management systems are key enablers for users to publish their content in the cyberspace. As publishing is one of the core domains of governmental and regulative interest, web content management follows, and particularly the security aspects of those management systems as well.
Web publishing systems are, however, numerous and so are hostile actors as well. What is the status of overall security of popular content management systems?
Fame and celebrity may only rarely come alone. WordPress has earned its place on the top of the popular content management systems, but also become to be one of the most exploited one.
Vulnerabilities are many and one-click attack tools readily available for criminal and intelligence communities alike.
Already in the early days of WordPress, its easiness and simplicity attracted a good number of publishers and authors online. Some of those got even jailed due to their political writings online and the number of vulnerabilities and exploits to target WordPress sites increased rapidly.
This year, there was a record high number of WordPress vulnerabilities announced in public. Those are concentrated around custom modules, themes and particularly browser-related vulnerabilities (XSS).
Browser attacks could potentially enable an attacker to hijack session or inject malicious code into the target system. Keeping up to date with most recent versions is crucial, yet something that may show up as a practical barrier for many users, particularly those with limited technical knowledge.
Publishing in cyberspace may require more than just static articles with loud titles and big headlines. Modern online publication in the cyberspace needs additional features and functions, which may require more capabilities than what a simple blogging framework could ever offer.
One of the most popular content management system with good application development capabilities is Drupal. And what is more, it performs well when it comes to the number of vulnerabilities announced this year.
Drupal Core had this year record low number of vulnerabilities listed by public MITRE vulnerability organization. This should be, however, noted together with the fact that Drupal is an extendable and modular framework, and many vulnerabilities origin from additional themes, modules or components in use and those would not be recorded as core Drupal vulnerabilities when listed in public vulnerability databases.
Not every project is a success and perhaps Joomla is one example of such a project that has produced more vulnerabilities that meets the eye.
However, lucky thing is that the content management system was, and still is, mainly adopted by low-profile organizations. Joomla or its predecessor Mambo did not attract much attention in the commercial environment, even while still used in a limited number of business applications.
One reason for the fate of Joomla might be because of its legacy as one of the very first open-source content management system projects. Originally named as Mambo, the project migrated under the Joomla label after nearly ten years of development.
In terms of vulnerabilities recorded, Joomla is with high numbers. The year 2017 had almost as many vulnerabilities identified as ten years ago. What is more, the nature of vulnerabilities was worrying with code execution, SQL injection and data leakage all in nearly even level.
And like many other popular content management systems, Joomla provides a framework for custom module development and markets and thus is likely to inhibit more vulnerabilities that are specific to some modules and custom components, that are not recorded as vulnerabilities of the core application.
Attaining decent stability when it comes to new vulnerabilities identified and patched versions delivered, Joomla may not show at the moment much different from others.
Yet, when it comes to content management system security, one of the most important aspects is the capability of the development organization to improve and renew. It is perhaps those two last things, or the lack of them, that are so easily connoted with Joomla system.
Without too much of panic, it may be a good strategy to assign a higher level of security investment to legacy Joomla applications today and schedule their lifecycle accordingly, build additional security measures around them and plan for the migration of services on to more modern and secure platforms in at least 2-3 years.
Before you choose a content management system for your web project or as the face of your company online, make sure you know everything that comes with the CMS. Before you start building the site or find an agency or developer who will build it for you, make sure the agency or developer is also aware of the security measures needed for your content management system.
If you have a website or are starting to build one make sure any of the content management system that you use is protected with a web application firewall. You can protect your site here.