How to secure your CMS without patching

How to secure your CMS without patching

Attackers are exploiting CMSes by reverse-engineering security patches before they can be applied. German coders see a way to stop them.



In as little as four hours, the bad guys can reverse engineer a software patch for an open-source content management system (CMS) and build an exploit capable of turning millions of websites into spammers, malware hosts or DDoS attackers. 

"There's just not enough time for normal site owners to apply the updates," said David Jardin, a member of the German association CMS Garden, which promotes the use of open source CMS software including Drupal, Joomla, WordPress and others.

To help ordinary users patch more quickly, CMS Garden is participating in a government-funded project, Secure Websites and Content Management Systems (Siwecos), to make the websites of SMEs more secure. 

Siwecos is a three-pronged effort, Jardin said.

Project participants including researchers at the University of Bochum are building a scanning engine that will give business owners feedback about potential security problems on their website, such as SSL misconfiguration or vulnerabilities to cross-site scripting attacks.

CMS Garden is contributing the second part: A series of plugins for different open-source CMSes that will provide that feedback from within the CMS management interface, where site owners can act on it immediately.

The third part, and the one Jardin is most excited about, is a service that will help web hosting companies filter out attacks before they reach vulnerable CMS installations.

Jardin pitched the project to a June meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG, an organization that aims to fight abuse of internet infrastructure).

There's no inherent insecurity with the systems CMS Garden promotes, as Jardin sees it. The problem is that the site owners using them just don't have time to keep their systems up to date. Better, then, to take them out of the loop.

"I want to remove the site owners from the chain of responsibility by talking to the web host directly," he said.

He's not expecting web hosts to patch their customers CMSes for them. Instead, at the same time as the patches go out, he's offering the web hosts ready-made filter rules for their web application firewalls, designed to block the same exploits as the patches.

"They can apply it right away and work around the end user, giving them way more time to apply the patch," he said. "We've been doing this on a small scale for quite some time already for the Joomla project and a number of German web hosts, with tremendous effect."

In one recent incident, a German hosting company that applied one of the filters blocked 150,000 requests per hour in the first day after a Joomla patch was released.

Web hosts could create such filters for themselves, but that would involve them reverse-engineering the patch too. It's quicker and safer to leave it to groups like CMS Garden, said Jardin.

"For the CMS community it's not a big deal because we know our systems pretty well. We can figure out a rule that doesn't have many side effects, no false positives, and for the web hosting company it's free of charge and safe."

While the Siwecos project is funded by the German government and aimed primarily at German SMEs, internet traffic knows no boundaries. 

"Even German companies host their sites all over the globe," said Jardin. "We are talking to pretty much everyone so it's more a global program."

The Siwecos scanning system will use a modular API. It's in a closed beta test for now, but its developers expect to open it up by September, when they will publish the first plugins for it. Modules under development include one for scanning HTTP headers relevant to security, such as those for Content Security Policy.

"The CSP headers are quite relevant because they can prevent exploits from working even if a site has been infected," Jardin said. There will also be scanners to validate SSL and TLS certifcates in the server settings, and to check for malware in HTML code.

Jardin hopes to launch the web host service in September too. It will begin with a private mailing list so as to avoid giving bad actors additional clues for exploiting CMSes before they can be patched or otherwise protected.

"If you take a look at the firewall rules it's going to be rather easy for an experienced attacker to build an exploit. That's why we want to limit the circle of recipients."

The web app firewall element of Siwecos has some overlap with work WordPress is doing with some web hosts. Siwecos, though, is working with multiple CMS projects and will be open to more web hosts, he said. "The beauty of our project is that it's one central place for information about all CMSes."

Commercial web application firewall vendors have nothing to fear from the project, and much to gain, according to Jardin.

"They don't know our applications and they don't have any up-front information about security issues. It's going to take them at least 24 to 48 hours until they have the rule set in place that we can provide right from the beginning. That's the thing that's completely new."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments