There are vulnerabilities in Web Content Management Systems (WCMS) which are often overlooked, such as stored and reflected cross-site scripting attacks.
During my time as a penetration tester I have come across a series of Web Content Management Systems (WCMS) including both Free Open Source Software (FOSS) and Commercial Off The Shelf (COTS) software deployed in a number of private and public institutions.
The purpose of WCMS’s are to provide an easy alternative method for website designers and developers to create interactive web site content that is easy to both manage and administer. It is also regularly touted that a number of benefits can be gained from using a WCMS over custom developed websites. One of which is an “increased level of security.”
However, during my penetration testing endeavours I have found that a number of WCMSs are vulnerable to many exploitable security vulnerabilities. An example, was a version of Alfresco CMS that I recently tested for a client, which was vulnerable to stored and reflected cross-site scripting attacks, access control issues and file upload vulnerabilities. In this particular scenario it was possible for users with guest level access (lowest level) to escalate their privileges to that of a co-ordinator (administrator level) by exploiting a stored cross-site scripting flaw in a forum to obtain the co-ordinator’s session information. It was also possible for a guest user to view an assortment of data available within the application including sensitive documents, emails belonging to staff members (including company director) and view all the available users in the system due to Access control issues. The impact of these vulnerabilities were high because the system was used by both staff members and affiliated companies.
Other vulnerable WCMSs I have tested include Drupal, Kentico, WordPress and Umbraco, all of which suffered from one or more of the following; SQL injection, cross-site scripting, weak passwords, cross-site request forgery, access control issues and file upload vulnerabilities to name a few.
In the majority of cases the versions were out-dated, but were in use on public facing web servers and so at risk. Therefore, It is very important to ensure WCMS are kept up-to-date. I have found that more mature WCMSs do tend to have less vulnerabilities than custom developed applications, if they are kept up-to-date. It would also be worth considering penetration testing to help determine your risks.