Top 10 most popular CMS under attack in 2018
Review of security vulnerabilities and incidents involving WordPress, Joomla, Drupal and others popular CMS in 2018.
Content Management Systems (CMS) and frameworks make web development simple, accessible and efficient. They provide a method for organizations and individuals to create and upload content, manage users and process e-commerce transactions without requiring the development of all-new code.
However, with hundreds, thousands or even more websites all powered by shared codebases, a security flaw in the CMS can have potentially disastrous, far-reaching consequences.
This is not a list of ‘bad’ CMS platforms or a list of CMS platforms to avoid. In most cases, running a properly-configured and up to date version of a CMS is sufficient to ensure the platform is not a risk by itself. With that in mind, here are our top 10 popular CMS platforms which, nevertheless, may be more vulnerable than you’d expect.
vBulletin is a community-focused CMS, geared towards creating and managing forums and bulletin boards. Websites running unpatched versions of vBulletin leave themselves open to redirect vulnerabilities, remote code execution and authentication bypass. Although vBulletin’s security flaws aren’t too unusual in terms of frequency or severity, zero-days and in-the-wild exploits are a perennial problem for this platform.
In 2016, an SQL injection flaw in vBulletin was exploited to steal login credentials of over 27 million users. Many of these credentials were stored in plaintext, making full account compromise easy. In November 2017, two unpatched zero-day critical vulnerabilities were discovered. The researcher contacted vBulletin, but claimed to have received no response by the time the vulnerabilities were disclosed in December, leaving the flaws publicly known without a security patch to mitigate them.
Plone is described as an ‘enterprise CMS’. It is geared toward internal organizational content management, and is used by many government organizations across the world, including the FBI and CIA. This makes security a top priority for the platform, and the development team has even said “Plone has never received a report of a serious vulnerability in Plone being exploited in the wild”.
This was in response to a claim that the FBI’s website had been hacked thanks to a vulnerability in the Plone platform. While later determined to be almost certainly a hoax, Plone does have known vulnerabilities. As in most cases, the latest versions of Plone have patched all these issues. However, any user running an unpatched build is open to the large number of security risks of varying severity discovered over the last few years.
The MODX Revolution CMS sells itself on its speed and scalability. Open-source and PHP-based, it also claims to be secure. The MODX website supports this claim by citing the NIST NVD, comparing MODX Revolution’s 29 reported vulnerabilities as of April 2018 (33 as of February 2019) to the much higher numbers of vulnerabilities in Joomla, Drupal and WordPress.
Despite this, MODX websites are no more free from security issues than other platforms. In July 2018, a critical access control vulnerability was found being exploited in the wild. Add this to the usual slew of XSS vulnerabilities – along with the occasional RCEs or directory traversals – and the MODX platform still needs its users to be careful with their security and stay up to date or risk compromise of their websites and data.
The Sitecore CMS is aimed at organizations wanting to create a customer-focused website. It aims to provide marketing, e-commerce and general content management features to its users. As far as security vulnerabilities are concerned, the platform had shown very little activity until after the release of Version 8.
This brought several XSS, directory traversal and code execution risks over the course of 2017. Some of these were patched, but a few issues persist into the current iteration of Sitecore, Version 9. Though Version 9 rolled out in October 2017, new vulnerabilities for ‘Version 8.1 and up’ were still being discovered in 2018. Fortunately, the CMS does not have frequent in-the-wild exploits or attack campaigns, though this does not stop the known vulnerabilities being something that users should consider.
One of several open-source, PHP-based CMS, Exponent today has made great improvements on its earlier security record. Only one new threat was recorded in the CVE database in 2018, and even that had been discovered and patched in the previous year. A privilege escalation flaw which leaves version 2.4.1 of the CMS open to site takeover, the Exponent team fixed this issue shortly after it was reported.
However, any site still running older versions of Exponent is taking a fairly big risk by not updating. SQL vulnerabilities in version 2.4.1 and earlier are common, as well as information disclosure flaws. High-Tech Bridge found one of Exponent’s most serious vulnerabilities to date: an arbitrary code execution flaw affecting version 2.37. This flaw could result in critical data or web server compromise and complete takeover of the affected website.
SharePoint is Microsoft’s CMS designed to integrate with Office 365. Microsoft’s website claims 190 million users across 200,000 customer organizations.
Since its launch in 2001, SharePoint has been geared more towards work collaboration and document sharing than website building. However, it has grown into a highly configurable and integrated solution, and is today used to manage content and assist in the running of many organizations, integrating with other tools used to build and maintain their websites.
The 2018 StackOverflow developer survey placed SharePoint as developers’ most dreaded platform for the second year running. It has a long history of being plagued by security issues, with five new CVE entries in the first month of 2019 alone. The worst of these is a critical code execution vulnerability affecting various Microsoft Office products and SharePoint servers. In 2017, a Ponemon Institute study revealed that 49% of organizations had experienced a data breach in SharePoint over the prior two years.
Magento is a CMS geared toward e-commerce websites. Originally created by Varien, it is currently owned by Adobe. As well as the site-building functionality provided by many CMS, it provides a platform tailor-made for processing transactions and payment details. More sensitive data needs more stringent security, and while Magento’s track record is generally fairly good on this point, the platform is far from free of security issues. This includes a cross-site request forgery risk discovered at the beginning of 2018.
Of all this list’s entries, Magento may have experienced the largest and most recent exploitation campaign. Taking advantage of various flaws in unpatched blogs, hackers were able to spread the MagentoCore malware to well over 7,000 Magento websites in 2018. Once in place, the malware would read any payment details sent to the site by users, sending them back to the hackers. The MagentoCore campaign has been called the most aggressive and successful payment-skimming campaign to date.
To understand the depth of Drupal’s security issues, you only need consider that it has experienced a security incident [with the title] ‘Drupalgeddon’. Not only this, but the platform would later go through ‘Drupalgeddon 2’ and ‘Drupalgeddon 3’ as well. The first Drupalgeddon, an SQL injection flaw from 2014, prompted Drupal’s security team to advise in their disclosure of the flaw that users should assume “every Drupal 7 website was compromised unless updated or patched…7 hours after the announcement”. Drupalgeddons 2 and 3 remote code execution flaws, were discovered and widely exploited in 2018.
The unfortunate CMS is also troubled by frequent XSS flaws and other commonly-seen vulnerabilities. Even after the Drupalgeddon incidents seemed to have died down, yet more critical flaws were found towards the end of 2018, affecting multiple versions of Drupal. Although the Drupal team is usually prompt in releasing security updates, many sites using Drupal are still vulnerable to known security vulnerabilities thanks to lack of user patching.
Joomla is another open-source CMS written in PHP. While Joomla powers only a fraction of those powered by WordPress, it is estimated to be the second most popular CMS on the web. It is known for its ease of use, which although a good feature runs the risk of attracting less security-savvy users. In 2016, it was estimated to be the second most-compromised web platform after WordPress.
Occasional severe vulnerabilities crop up, such as 2016’s privilege escalation threat which had Joomla’s team urging its users to update as soon as possible or face potential complete site takeover.
2018 was an active year for new Joomla vulnerabilities, with 24 new CVE entries posted over the year – nine of which rated a 6/10 or above for severity. The most severe of these may have been an SQL injection flaw found early in the year. This would allow attackers to gain administrative privilege or compromise sensitive data.
WordPress is the most widely known and widely used CMS by far, and the core platform is among the most secure of all. Two things work against WordPress’ security, however. The first is its popularity. WordPress is the world’s most widely-used content platform, accounting for not only over 60% of the market share among CMS, but over a third of the entire internet.
The second is its customizability. WordPress allows sites to be set up using third-party plugins, so that users can fine-tune the functionality to exactly what they need. This greatly increases the attack surface of the CMS, as each plugin may have its own vulnerabilities – check our blog on the most vulnerable WordPress plugins for more information on this.
Over 50% of all compromised WordPress sites were breached because of a vulnerable plugin. In 2017, it was estimated that over 70% of all WordPress installations were at risk because of improper user setups. Abandoned (legacy) or unpatched plugins are the most popular attack vectors, and large-scale exploitation campaigns can be seen even as we go into 2019.
What should be clear from this survey of ten top CMS platforms is that nothing is secure – it’s a question of which is the least secure. Most developers are quick to patch known vulnerabilities, but this requires the user to patch his website just as quickly.
“Cybercriminals are very proactive,” warns High-Tech Bridge CEO Ilia Kolochenko. “As soon as a new vulnerability is discovered in a popular CMS, they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.”
Apart from basic cybersecurity hygiene, such as protecting administrator account and using strong passwords, the single most important security practice for all CMS users is timely patching.