HackDig : Dig high-quality web security articles for hackers

I Want My CMS

2015-05-15 22:45

“I want my MTV...” One of the most iconic lines from one of the greatest rock songs of the 80’s, “Money For Nothing”. OK, not just from the 80’s, but of all time. But rock nostalgia aside, this is the line that pops into my head every time I think about redesigning my website. It’s an ancient, outdated piece of garbage, thrown together quickly in Dreamweaver back in the days when people did that sort of thing. And each time I get ready to do something about it, I hear Mark Knopfler’s awesome guitar riff and I think “I want my CMS”.

his, of course, begs the question, “Why don’t you just go get a CMS, then?” It’s a good question. Content management systems like WordPress and Joomla! make it exceptionally easy to stand up a very professional-looking website faster than you can say Cascading Style Sheets. They make for simple maintenance and snazzy content, even if you don’t know anything about coding up a web application (or even basic HTML). Responsive websites? No problem. Sliders, drop-downs, and slick graphical elements? Piece of cake.

And the news keeps getting better. Most content management systems are free and open source. Even merely passable programmers can extend their functionality, while large user communities and third parties are always contributing new modules, plugins, and extensions that make your friendly neighborhood CMS a platform worthy of a Fortune 500 website. Not a Fortune 500 company? Not an issue. Christie’s Consulting Service or Bob’s Bodacious Baskets can whip up a site complete with e-commerce, a blog, and complete social integration with nothing more than a web host and some time.

This is why almost a quarter of the websites in the world use WordPress. Another 15% use some other CMS to power their sites. It’s easy and the most mature systems are stunningly powerful.

But, to paraphrase Spiderman, with great power comes great security risks. I’ve built websites in WordPress, Joomla!, Drupal, and Concrete. Some were for internal projects with employers, some were for clients. In either case, I didn’t worry overly about security. Set reasonable permissions on the website directories, don’t be stupid about MySQL and CMS passwords, and you’re good, right?

Wrong...They say that ignorance is bliss and that certainly applies to security. Working for a company like Fortinet, though, and spending my days talking with researchers and developers quickly takes any ignorance (and the associated bliss) about security and flushes it down the toilet. If I had a dollar for every time I heard the phrase “cross-site scripting vulnerabilities are a dime a dozen” I’d worry less about paying for my kids’ college tuition.

Unfortunately, all those great plugins and extensions that add so much functionality to most content management systems can be problematic, even if the underlying CMS is fairly secure. Not all of them, of course, but most of the CMS-related vulnerabilities we disclose are in plugins rather than the CMSs themselves.

Even if people are running completely clean, up-to-date installations of their favorite content management system, though, security issues often rear their ugly heads. A common example occurs with many shared web hosting providers. They’re cheap, easy ways to get a domain and quickly build a web presence, ideal for the millions of small and midsized businesses that use them. Yet they don’t give access to the underlying server and rarely make it easy (or even possible) to set correct permissions on the folders in which the CMS resides. More than a few walkthroughs for setting up web applications on various hosting providers suggest changing permissions to “777” on certain folders to avoid the permissions problems that tend to crop up when installing a CMS. In Linux-land, 777 is wide open to applications, users, and vaguely savvy hackers.

So what’s the average small business, school, or non-profit to do? There are battle-hardened enterprise content management systems out there, but cost can be prohibitive for smaller organizations. There’s a reason you were looking at free software, right? It also isn’t time to recruit your 15-year old neighbor kid to gin up a website from scratch. There is no such thing as an unhackable website, whether it’s an open source CMS running on a cut-rate web host or a static site sitting in a corporate data center.

What this really comes down to is making the best choices you can and implementing the best practices you can within the constraints of your business. For example, if you go down the WordPress road, consider using a web host with expertise in WordPress and/or dedicated WordPress monitoring services. If you can host any CMS yourself or on a public cloud service like AWS or Microsoft Azure, you get complete control of the server (allowing you to deal with permissions the right way instead of using insecure workarounds) and you can place the web server (virtual or otherwise) behind a firewall to monitor for the sorts of traffic that indicate a hack.

Regular updates of the CMS and any plugins you absolutely need (any you don’t should be eliminated) can also make your site more secure.

That said, I’m still in search of the holy grail of content management systems. It needs to be easy enough for the average SMB to install and administer, cheap enough to be widely accessible, and have the core functions for which people often turn to third-party plugins (e.g., e-commerce and social sharing) baked into the CMS itself. That way, these functions are part of the larger web application that, in the case of open source software, will undergo rigorous community testing and development. I’m afraid we still have a ways to go, but I’d be interested in your thoughts - share your opinions on the most secure CMS you’ve used or whether you think the term “secure CMS” is a hopeless oxymoron.

Source: smc-ym-tnaw-i/tsop/moc.tenitrof.golb

Read:3952 | Comments:0 | Tags:No Tag

“I Want My CMS”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud