How to secure your CMS without patching

Attackers are exploiting CMSes by reverse-engineering security patches before they can be applied. German coders see a way to stop them.

IDG

IDG

In as little as four hours, the bad guys can reverse engineer a software patch for an open-source content management system (CMS) and build an exploit capable of turning millions of websites into spammers, malware hosts or DDoS attackers. 

"There's just not enough time for normal site owners to apply the updates," said David Jardin, a member of the German association CMS Garden, which promotes the use of open source CMS software including Drupal, Joomla, WordPress and others.

To help ordinary users patch more quickly, CMS Garden is participating in a government-funded project, Secure Websites and Content Management Systems (Siwecos), to make the websites of SMEs more secure. 

Siwecos is a three-pronged effort, Jardin said.

Project participants including researchers at the University of Bochum are building a scanning engine that will give business owners feedback about potential security problems on their website, such as SSL misconfiguration or vulnerabilities to cross-site scripting attacks.

CMS Garden is contributing the second part: A series of plugins for different open-source CMSes that will provide that feedback from within the CMS management interface, where site owners can act on it immediately.

The third part, and the one Jardin is most excited about, is a service that will help web hosting companies filter out attacks before they reach vulnerable CMS installations.

Jardin pitched the project to a June meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG, an organization that aims to fight abuse of internet infrastructure).

There's no inherent insecurity with the systems CMS Garden promotes, as Jardin sees it. The problem is that the site owners using them just don't have time to keep their systems up to date. Better, then, to take them out of the loop.

"I want to remove the site owners from the chain of responsibility by talking to the web host directly," he said.

He's not expecting web hosts to patch their customers CMSes for them. Instead, at the same time as the patches go out, he's offering the web hosts ready-made filter rules for their web application firewalls, designed to block the same exploits as the patches.

"They can apply it right away and work around the end user, giving them way more time to apply the patch," he said. "We've been doing this on a small scale for quite some time already for the Joomla project and a number of German web hosts, with tremendous effect."

In one recent incident, a German hosting company that applied one of the filters blocked 150,000 requests per hour in the first day after a Joomla patch was released.

Web hosts could create such filters for themselves, but that would involve them reverse-engineering the patch too. It's quicker and safer to leave it to groups like CMS Garden, said Jardin.

"For the CMS community it's not a big deal because we know our systems pretty well. We can figure out a rule that doesn't have many side effects, no false positives, and for the web hosting company it's free of charge and safe."

While the Siwecos project is funded by the German government and aimed primarily at German SMEs, internet traffic knows no boundaries. 

"Even German companies host their sites all over the globe," said Jardin. "We are talking to pretty much everyone so it's more a global program."

The Siwecos scanning system will use a modular API. It's in a closed beta test for now, but its developers expect to open it up by September, when they will publish the first plugins for it. Modules under development include one for scanning HTTP headers relevant to security, such as those for Content Security Policy.

"The CSP headers are quite relevant because they can prevent exploits from working even if a site has been infected," Jardin said. There will also be scanners to validate SSL and TLS certifcates in the server settings, and to check for malware in HTML code.

Jardin hopes to launch the web host service in September too. It will begin with a private mailing list so as to avoid giving bad actors additional clues for exploiting CMSes before they can be patched or otherwise protected.

"If you take a look at the firewall rules it's going to be rather easy for an experienced attacker to build an exploit. That's why we want to limit the circle of recipients."

The web app firewall element of Siwecos has some overlap with work WordPress is doing with some web hosts. Siwecos, though, is working with multiple CMS projects and will be open to more web hosts, he said. "The beauty of our project is that it's one central place for information about all CMSes."

Commercial web application firewall vendors have nothing to fear from the project, and much to gain, according to Jardin.

"They don't know our applications and they don't have any up-front information about security issues. It's going to take them at least 24 to 48 hours until they have the rule set in place that we can provide right from the beginning. That's the thing that's completely new."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?