What if there was a project which checks all available extensions for popular CMS (such as Joomla or WordPress) for vulnerabilities and therefore creates a list of “trusted” and secure plugins on which ppl can rely on?
During the last weeks I spent much time thinking about the security of websites in general. While many webmasters are unaware of many security threads and simply don’t possess much knowledge in this area, a lot of them welcome popular CMS (such as Joomla, WordPress, Drupal etc.) and use addons to enhance their sites.
What some of them forget is to check if the used software is vulnerable in any way. The result is that thousands of new insecure websites are created every day and can be abused easily in many ways. I find it very shocking that even large companies rely on the script vendors and store sensitive company/customer data in the website. One heavy case I was able to witness is a component supplier for the German car industry.
While the corporation itself seems to be very large, their website was made by a freelancer. He uses a well known CMS with a few modifications and commercial themes/layouts. While browsing the website it was obvious that there might be several SQL injection vulnerabilities which allow attackers to access the whole database and obtain information which can be used for industrial spying.
But it is so easy to check if the own website is vulnerable to the most common attacks (SQL injection, local/remote file inclusion, XSS, CSRF, information disclosure, weak passwords, false software configuration). A good beginning would be to simply browse vulnerability databases. Or googling for “software product name vulnerability”. Or asking someone with security knowledge to check the own website. Or learning about the most popular web vulnerabilities and checking the website yourself.
I find it rather sad to see that so many website owners fail to do so. More said is probably the fact that you can’t even make them responsible for not knowing much about IT security since not everyone is aware of such issues or does have the necessary technology affinity for knowing such stuff.
When I have learned something during the past weeks (except the stuff for my final exams 🙂 ), then it is the fact that even very experienced webmasters/users/developers may simply not be familiar with web security. While doing some vulnerability research for fun I was given the opportunity to get in contact with many security enthusiasts, security professionals and developers (e.g. for Joomla components). Sometimes it took me many mails to explain to them how their software is vulnerable and how they can fix their products. Some of them even sell their software for a lot of money. And this is in fact a bad thing.
Imagine all the plugins for popular CMS which are released daily – and how many might be vulnerable to simple attacks.
How can normal webmasters be expected to keep up with the daily amount of information and recently published vulnerabilities?
So when building a new website, many of them simply download the CMS (e.g. Joomla), some required components (let’s say a gallery and guestbook component) and a cool theme. The new website can be completed within hours and the results are still awesome. But maybe also “awesome” insecure.
Especially when someone sells a website to a customer who has no IT knowledge at all this can be a very huge problem. They most probably never update their scripts and you can imagine what problems may occur in such cases.
So, what is the solution? How to fight the problem that there are so many plugins/extensions for popular CMS and so many of them might be vulnerable?
One idea might be to found a new project which contains a list of checked extensions. As soon as a new plugin is released the members of this project check it for vulnerabilities and rate it as secure when all tests are passed.
The result would be a list of extensions which were checked by people who are familiar with web security. We then would have a “trusted list of secure software extensions” and everyone can rely on it. Of course new software versions of existing plugins also have to be tested and the perfection would be that software vendors let their software be checked first before they release it.
While this might be a good idea this would take many volunteers who are a) competent enough to perform such tests and b) who are active on regular basis. Furthermore such a project should be supported by both the software and security industries.
Maybe there will be such a project one day and maybe I will even start it one day by myself.
Simply the idea of having a list of secure plugins – no matter for which CMS – is awesome enough, isn’t it?