Mar 27, 2017

How Companies are Hacked via Basic CMS Vulnerabilities


What is CMS?


CMS (Content Management Systems) is a computer application that supports the creation and modification of digital content [1]. Basically, we use it for website management and preparation. Over time, many organizations have developed their own custom CMS software. With the increase of these software, in 1995, CNET developed the idea that the market of this system could be established by agreement with Vignette in order to develop its own CMS system. In the process, the concept of Content Management System has become a sector and has continued to thrive[1][2].


Content Management System (CMS) is a valid umbrella definition for all of the systems that covers all systems where dynamic content management is a requirement. Moreover, there are many open source or commercial tools implemented that can be classified as CMSs. Some of the popular CMS applications can be listed as; WordPress, Joomla, Drupal, Magento, PHP Nuke, Post Nuke, Mambo Server, DCP portal, Xoops etc [3]. These applications have different characteristics within themselves. For example, WordPress uses the PHP programming language while DotNetNuke uses .NET technology.


Popularity


In recent years, many studies have been performed to determine the popularity of Content Management Systems. Looking at the WordPress statistics, we see that version 4.7 has been downloaded 31 million times [4]. It is also seen that 49.000 plugins have been downloaded 1.5 billion times [5]. The report, published by W3Techs, shows that WordPress, Joomla and Drupal account for 70% of the total CMS usage [6] as shown in Figure 1.



Figure 1 - The popularity of Content Management Systems by numbers. Green bars denote CMS market share distribution while gray bars denote overall Internet website distribution.

Another study of Content Management Systems found that WordPress, Joomla and Drupal covers 85% [7] of the total market as shown Figure 2.

Figure 2 - Total CMS market share distribution.

CMS Pros and Cons From Security Perspective

The most important feature of CMS systems is that they provide common requirements for different content regardless of project type. Some of the advantages of CMS systems are;
  • Easy installation.
  • Many different components can be used immediately. (Forum, questionnaire etc.)
  • User permissions on content can easily be granted.
  • New features can be added online without any technical work.
  • The report provides ease of writing.
  • Since the user-based system is available, the user can easily manage the details.
Content Management Systems have also some disadvantages. The most important of these is security that is also the problem of all web applications and the computing world. Content Management Systems are preferred by many users due to their easy installation and manageability features. Many major companies are also known to use Content Management Systems. For this reason, these systems attract attention of attackers.
Some security issues historically ignored in Content Management Systems are:
  • Ignoring security patches issued by Content Management Systems.
  • Use of default configurations
  • Vulnerabilities in installed 3rd party plugins
  • Lack of security awareness in administrators
These systems, due to the above problems, may become one of the biggest and fruitful targets of the attackers since their technical information is public and known by everyone.

Maybe The Worst CMS Hack Case

Recent years have shown that attackers are using the vulnerabilities of CMS-based websites for data hijacking  of large corporations. One of these attacks is "Panama Papers", which caused a major scandal. "Panama Papers" is a leak of 11.5 million documents from a Panama-based law firm. In these documents, it is argued that money laundering information and secret agreements of the last 40 years are found. It is also claimed that the names of heads of state and large corporations are in the documents [8].
After the emergence of the "Panama Papers" incident, some investigations have been executed. According to the researchers, it is stated that the attackers use security vulnerabilities in CMS based web sites belonging to the firm. One of those vulnerabilities is claimed to be in the WordPress plugin called "RevSlider". As a matter of fact, published reports on CMS systems in the first quarter of 2016 strengthen the claims [9][10].
In the first quarter of 2016, a report has published by "Sucuri" about CMS systems seem to be having serious problems especially in big applications like WordPress [8]. According to the published report, most of the attacks on WordPress are made from vulnerabilities over the installed plugins. The report also shows that “RevSlider”, “GravityForms”, and “TimThumb” plugins are used frequently for successful attacks. Out of which the "RevSlider" plugin, which is allegedly used in the "Panama Papers" case, is often preferred by attackers [10][11][12].

Following Figure 3 shows us the most infected CMS platforms in 2016 Q1
Figure 3 - The most popular Content Management Systems according to [10]

Figure 4 also shows us the ratio of top outdated WordPress plugin vulnerabilities over all vulnerabilities.

Figure 4 - The most popular vulnerable wordpress plugins according to [10].

Another point of interest in the report is that although the fixes for weak attachments were made a long time ago, users have not made the necessary updates. In particular, companies using CMS need to make necessary patches and updates in terms of security.

One of the important issues in Content Management Systems is that the configuration that are used in default installation are not security hardened. For example, files such as readme.html, xmlrpc.php and wp-trackback.php in the root directory of the WordPress application need to be removed from this directory. In particular, the xmlrpc.php file is known to be used in DDoS attacks.

As can be seen from the "Panama Papers" case, large companies using Content Management Systems that are easy to use and low in cost ignore the vulnerabilities in these systems. For this reason, companies are unwittingly becoming targets of attackers.
How to detect CMS usage?
There are many open source and paid projects related to detection and monitoring of Content Management Systems. There are many vulnerability scanning tools for WordPress, Joomla and Drupal, which are used more often in Content Management Systems. The most common of these tools are the Wpscan and Joomscan applications.


Wpscan (WordPress Scanner)

Wpscan is an open source project designed to detect, collect information and identify security vulnerabilities in WordPress websites. The project developed with Ruby is updated frequently, so it can detect current vulnerabilities. It also provides additional information such as references and vulnerabilities [13].


Figure 5 - An example is the result of wpscan.

The information obtained from the application is as follows;
  • Plugin,theme,version, vulnerability enumeration
  • Username enumeration
  • Password bruteforce
  • Timthumb enumeration

In addition, with the help of wpvulndb API developed by the WPScan developer team, information can be obtained according to WordPress version, theme and plugin [14].
Figure 6 - Wpvulndb example.

JoomScan (Joomla Scanner)
Joomscan is an open source project developed with the Perl programming language for collecting information and identifying vulnerabilities for Joomla websites.
Figure 7 - An example is the result of joomscan.
On Joomla websites you can find the following information;
  • Joomla Firewall Detection
  • Joomla Version Detection
  • Plugin and Version Vulnerability
It can also provide exploit information for vulnerabilities found [15].

How to manage CMS vulnerability?

Content Management Systems have been widely used by large companies because of their many advantages. However, serious weaknesses can be found in these systems, making them the target of attackers. Therefore, it is necessary to follow the weaknesses (changelogs, CVE entries, security mailing lists etc.) periodically on the Content Management Systems and to inform the responsible authorities in the company.
The NormShield solution supports automating WordPress and Joomla vulnerability scanners. Customers can scan the WordPress or Joomla web sites they add to the system by selecting WordPressVulnScan or JoomlaVulnScan policies. For example, let’s assume that a scan for the WordPress scanner is created and then the corresponding agent automatically started the scanning process. Once the scan is completed, the information about the theme, plugin, version, and vulnerabilities that are available in WordPress, user information in the database, etc. are imported to the portal where site administrators can analyze. NormShield produces a general score with the help of assigned scores according to the importance of the scan results (Info, Medium, High, Critical, Urgent). In addition, scan results are presented with scan result dashboards including various abstracted, quick-peek graphics.



Figure 8 - Normshield wordpress scan result.



References




[1] https://en.wikipedia.org/wiki/Content_management_system
[2] https://tr.wikipedia.org/wiki/İçerik_yönetim_sistemi
[4] https://wordpress.org/plugins/
[5] https://wordpress.org/download/counter/
[6] https://w3techs.com/technologies/overview/content_management/all
[7] http://www.opensourcecms.com/general/cms-marketshare.php
[8]https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
[9]https://wptavern.com/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach
[10] https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
[11] https://sucuri.net/website-security/hacked-reports/Sucuri-Hacked-Website-Report-2016Q2.pdf
[12] https://sucuri.net/website-security/hacked-reports/Sucuri-Hacked-Website-Report-2016Q3.pdf
[13] https://wpscan.org/
[14] https://wpvulndb.com/api
[15] https://github.com/rsrdesarrollo/joomscan-owasp