Plugins and extensions: the Achilles heel of popular CMSs
A by-product of High-Tech Bridge’s ImmuniWeb® web application penetration test SaaS is the frequent discovery of vulnerabilities in popular web applications and CMSs.
A by-product of High-Tech Bridge’s ImmuniWeb® web application penetration test SaaS is the frequent discovery of vulnerabilities in popular web applications and CMSs. High-Tech Bridge’s disclosure policy is immediately to notify the vendor, but to allow three weeks for the vulnerability to be fixed before going public with the details (vendors also may ask to extend the disclosure time). During this period a brief announcement of the vulnerability without any exploitable details is posted on High-Tech Bridge’s Research page.
High-Tech Bridge’s purpose is to persuade the vendor to fix the flaw and help make the Internet a safer place for everyone. An example of this in action is the two SQLi flaws found, ironically, in the All In One WP Security plug-in. The vendor was notified on the 3rd of September, with planned full disclosure on the 24th of September. In the event, the flaw was fixed by the vendor on 12th of September with the new version 3.8.3.
The current state of High-Tech Bridge’s Research page shows a number of other recently discovered flaws in WordPress plugins; for example in MaxButtons, Google Maps plugin; Google Calendar Events plug-in and more. It is tempting to think, because of this and the recent major Heartbleed and ShellShock vulnerabilities, open source software including WordPress is inherently insecure. I asked Ilia Kolochenko, High-Tech Bridge’s CEO and founder, if this is an accurate assumption.
The answer, he said, is yes and no. "For upwards of a decade", he told me, "the major CMS platforms such as Joomla and WordPress have been deeply researched by both black and white hat hackers (some well-known CMSs even changed names during their development). In the early days SQL injections (SQLi) and code execution flaws were commonplace. In fact", he added, "around 90% of websites were vulnerable to critical-risk attacks permitting to take control over the website remotely within a dozen of minutes. Nothing in common with medium-risk XSSs vulnerabilities that are very common these days. One should not forget however, that in the past web applications have never hosted so many critical data and personal information. Today it would be fair to say that the vast majority of data breaches are directly or indirectly related to vulnerable web applications and compromised websites."
The time was passing and the code of CMSs who managed to survive on the dynamic market was becoming mature and secure. Blackhats started keeping rare 0days for them, while whitehats were discovering less and less critical vulnerabilities, building the XSS epoch in web security. After a decade of hacking, most of the SQLi and XSS flaws have been found (we are not even speaking about PHP includes or RCEs that extinct even before), exposed and fixed; and WordPress and Joomla are pretty secure. "I would say," explained Kolochenko, "that a popular CMS, such as WordPress or Joomla may be considered secure in default installation if they are properly configured, don’t have third-party code (plugins) and are up2date."
That doesn’t mean however that all current installations are safe. Too many administrators use weak passwords that can be brute-forced, or they reuse passwords that can be stolen from other sites. Or phished – the art of social engineering has been turned into a science by cybercriminals. These days hackers tend to use XSS vulnerabilities in various plugins with a mix of social engineering to get administrator’s accounts (and they do succeed in many cases).
"The main weakness in modern CMSs sites today," continued Kolochenko, "is not in their core code where 99% of exploitable vulnerabilities were already found and fixed in the past years, but in the plugins written and supported by third-parties. For example it is not WordPress that is vulnerable, but the WordPress plugins, which are often produced by new coders with little experience in security. At the same time plugins are unavoidable as people will always want some specific customized features on their websites that no CMS can provide by default. Of course from time to time new vulnerabilities (or bypasses of previous patches) in major CMSs are announced, but they represent the vast minority and are usually quite complex to exploit."
It is in the plugins that the ‘WordPress’ SQLi and XSS flaws are still common. "A vulnerable plugin means a vulnerable CMS that has this plugin installed", he explained. "By exploiting XSS and SQLi flaws in the plugins, the attacker can get at the admin password same as if he were exploiting these vulnerabilities in the core code of the web application". The problem for the internet is that there are so many millions of WordPress and Joomla websites produced and operated by very small companies or individuals with no training or understanding in security. WordPress’ own statistics today claim that there are 33,581 different plugins that have a combined total of 747,619,967 downloads. An unknown number of those plugins with an unknown number of downloads will contain security flaws that have nothing to do with WordPress – and yet make the WordPress installation insecure.
The real problem for the internet is that WordPress users tend not to understand the risks nor be able to afford a solution. They tend to think they won’t be a target, when the reality is they are a prime target. Pornographers have been known to ‘hide’ child pornography in orphaned pages on compromised websites where the URL is known only by other paedophiles; web servers are hijacked to deliver spam or operate in a watering hole campaign.
All the average WordPress user can do is guard his password carefully, and try to find any flaws in his plugins. The traditional method is by employing a pentester – but with prices ranging upwards of €10,000 this is hardly realistic for the average WordPress/Joomla site.
Online penetration testing services such as High-Tech Bridge’s own ImmuniWeb are much more affordable – but apart from this, WordPress users are reliant on the white hat hackers like Ilia Kolochenko and his team who find the flaws and help the developers fix them before too much harm can be done.