CMS Vulnerabilities: Why are CMS platforms common hacking targets?

In the beginning, the world wide web started as static sites. Pages on websites were built on simple and flat HTML text files. As the popularity of the world wide web grew, more features like adding images, storing, uploading and downloading files were introduced.

As a result, building and maintaining entire websites manually became very difficult. In order to overcome this, developers created something called a content management system (CMS) for automating and streamlining the process.

In the early 2000s, open source content management systems like Drupal, WordPress, and Joomla were introduced. They were mainly focused on one thing- make building and maintaining websites easier for non-technical people.

What is a CMS?

A Content Management System (CMS) is a software platform that allows users to build and manage a website with limited technical knowledge and resources. It allows users to create, manage, and modify content on a website with its Graphic User Interface (GUI) which makes interacting very user friendly without the need of any technical knowledge.

A CMS mainly consists of two elements: the Content Management Application (CMA) and the Content Delivery Application (CDA).

CMA allows the administration of users and groups so that they can create, modify and remove site content. It also includes the front-end user interface that allows a user to make changes to a website content without any knowledge of HTML, Cascading Style Sheets (CSS), or any programming languages.

The Content Delivery Application (CDA) compiles these information and updates the website.

The most popular CMS platforms in use today are WordPress, Joomla, and Drupal. According to a w3techs survey, these three platforms combine to support over 75% of all CMS-powered websites currently on the internet.

According to a study by Sucuri, WordPress is the most vulnerable CMS, followed by Joomla and Drupal. Most of them are known vulnerabilities that can be easily detected using automated tools. Considering the fact that a majority of CMS websites run on WordPress, we have written a separate blog that goes into detail about WordPress security.

Why do vulnerabilities occur in CMS platforms?

As the majority of CMS platforms are open source, they are vulnerable by nature. Content management systems built on an open source framework have its benefits like collaborative environment, sharing and modifying the source code together and many more.

But the main concern is that there is no one to take the responsibility of finding and patching the CMS security vulnerabilities on time. Because it’s free and no one takes accountability for dealing with security issues, the final product often has critical security vulnerabilities. Some of these security vulnerabilities are found by either security researchers or attackers.

In the past, before content management systems came into existence, an attacker had to identify a target like a bank, or an ecommerce site. In order to compromise or steal the data, the attacker had to find vulnerabilities in the target.

With content management systems, if an attacker finds a vulnerability, he/she can create a much more efficient way to automate and execute it in a mass-scale level attack. Once a vulnerability has been identified, attackers can use a search engine to easily fingerprint websites based on a CMS and exploit it in multiple CMSs of different companies.

Here is an example for finding websites running on WordPress CMS using Google Dorks.

       "index of" inurl:wp-content/"

   

In addition to this issue, some website owners who use weak passwords are leaving their admin accounts vulnerable to automated brute force attacks. CMSs like WordPress include a default administrator user account named ‘admin’ which makes it easier for an attacker.

Also CMSs have plugins, themes, modules and other integrations. Many CMS plugins and themes are exposed to attacks like cross site scripting, SQL injection, path traversal etc. Vulnerabilities in WordPress plugins and WordPress themes continue to be a serious threat in WordPress websites.

If these vulnerabilities are not fixed on a timely basis, then they can be easily exploited by an attacker. It is recommended not to run a CMS in its default configuration. It should be immediately upgraded whenever a new version is available.

But administrators often forget to update add-ons, while they are upgrading the main system, thereby leaving room for vulnerabilities. Also, WordPress and other CMS platforms use a protocol called ‘XML-RPC’ which is used to provide services like pingbacks, trackbacks and remote access to users. Attackers can use this protocol to initiate DDoS attacks.

Common CMS vulnerabilities

Brute Force Attack

A brute force attack uses a trial-and-error method of entering multiple usernames, passwords or combinations of both over and over until a successful combination is discovered.

By default, WordPress sites do not limit login attempts. So an attacker can program bots to open a login page and start performing a brute force attack. If the password is weak, a brute forcing tool will eventually get the right credentials and obtain access to the application.

WordPress admin login pages are easy to find because all WordPress sites come with a default login page like:

       example.com/wp-admin or example.com/wp-login.php

   

Even if a brute force attack fails, it can still cause problems to your server, as too many login attempts can overload your system and slow down your website.

While you’re under a brute force attack, some hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads.

SQL Injection

SQL injection occurs when values being added in the input fields are not properly sanitized allowing for any SQL queries to be potentially executed.

Upon a successful SQL injection, an attacker can possibly obtain access or is able to create a new privileged user account which can then be used to login and get full access to your website.

SQL injections can also be used to insert new data into your database, modify or delete existing data.

Cross-Site Scripting

Cross Site Scripting (XSS) is a client-side injection attack, in which an attacker injects malicious scripts into a web page which when loaded at client side starts collecting data and possibly redirecting to other malicious sites.

This vulnerability is mainly used to steal users session cookies, which allows the attacker to impersonate the victim.

It can be classified into three major categories namely stored XSS, reflected XSS, and DOM-based XSS. It is one of the most common vulnerabilities in websites and it’s very easy to find and fix them. To avoid this type of vulnerability you need to use proper data validation across the website.

DDoS Attack

In Denial of Service (DoS) attacks, a large volume of requests are made to a web server which makes it slow and ultimately it crashes. A server is flooded with requests which overload it and make it inaccessible to its intended users.

Distributed Denial-of-Service (DDoS) is an enhanced version of DoS. DoS attack is performed using single-source while DDoS is an organized attack executed via multiple machines commonly known as botnets. It will hide the origin of the traffic and increase the volume of requests sent.

File Inclusion Exploits

File inclusion vulnerabilities are often found in poorly-coded sites. These vulnerabilities happen when a site allows the user to submit input into files or upload files to the server, if the PHP code does not validate the user supplied input.

File inclusion vulnerabilities are generally classified into two: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

LFI vulnerabilities allow an attacker to read and sometimes execute files on the victim’s machine. If the web server is misconfigured or running with high privileges, the attacker may gain access to sensitive information. Through this vulnerability, attackers can gain access to configuration files in the server.

On the other hand, instead of accessing a file on the local web server, if the attacker is able to execute code hosted on their own machine, it is known as RFI.

Directory Traversal

Directory Traversal is an HTTP attack that allows an attacker to access restricted files, directories and commands that reside outside the web server’s root directory.

It is also known as the ../ (dot dot slash) attack, directory climbing, path traversal or backtracking.

An attacker can use this vulnerability to step out of the web server’s root directory and access other parts of the file system which the web server has read permission to. This might allow the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

How to secure your website from CMS vulnerabilities

There are various things users can do to protect their websites against CMS vulnerabilities and defend systems from attacks. Following are some of the things you can do to keep your CMS website safe.

  • Keep your CMS platforms up-to-date and create a regular schedule to update or patch the CMS vulnerabilities, along with all components like installed plugins and themes.

  • Perform regular backups for the CMS in use and its underlying database, weekly at a minimum.

  • Use parameterized queries to prevent attacks like SQL injection. Also, properly sanitize user input to prevent other injection attacks.

  • Change default usernames like ‘admin’ and use strong passwords (at least eight characters long with a combination of upper case, lower case letters, numbers and special characters) for your website’s admin area and server. Always store passwords as encrypted values and change your passwords regularly to keep them secure and also avoid password reuse.

  • Install SSL on your web server which establishes a secure connection between your server and the client.

  • Rename your admin directories to a name of your choice, only known to your administrators.

  • Keep track of the latest vulnerabilities for the specific CMS you are using by subscribing to any regularly-updated channel or blog. (e.g, WordPress)

  • Use a plugin for strong authentication, or use two-factor authentication (2FA) for an additional layer of protection.

  • Opt for a Web Application Firewall (WAF), which adds an extra layer of security to your CMS website to stay protected from attacks.

  • Scan your CMS website regularly using an automated penetration testing tool like Beagle Security to make sure that there are no vulnerabilities.


Avatar
WRITTEN BY
Sooraj V Nair
Security Engineer
Comments

Latest Articles