Content Management Systems Security and Associated Risks
Date: 24 January 2013
This product was developed as a collaborative effort between Public Safety Canada and the U.S. Department of Homeland Security. This informational note is aimed to raise awareness of important cyber security practices in regard to content management systems, specifically Joomla! installations.
Compromised web servers are increasingly being utilized by malicious actors to carry out cyber attacks, such as distributed denial-of-service attacks against critical infrastructure companies around the world. These web servers offer increased networking and computing capacity compared with average user workstations, and are therefore a target of choice for malicious actors to build their attack infrastructure. For this reason, it is imperative to secure servers according to best practices, and thus limit their exposure to control by potentially malicious actors.
Specifically, the compromised servers running Content Management Systems are consistently targeted and leveraged to launch cyber attacks. Content Management Systems (CMSs) are software suites that allow site administrators to easily manage the design, functionality, and operation of websites with minimal technical expertise. In recent years there has been an increase in the number of deployments of CMS software on the Internet. This has been fueled by popular open source projects which are freely available under General Public License (GPL) model. Unfortunately, some CMS web server operators are not following security best practices, exposing them and others to cyber security risks such as compromise and denial of service.
Joomla! is one of the most widely used CMS in the world. It is PHP-based and allows rapid deployment of dynamic content on websites. It is recognized for its simplicity of deployment and usage while offering extensive features and plugins. However, like many other large software packages, Joomla! has been the subject of a number of vulnerabilities in recent years and, if left unpatched, can represent a risk for site owners, and any other Internet users.
The Canadian Cyber Incident Response Centre and US-CERT are aware of malicious actors exploiting unpatched CMS installations, primarily Joomla! installations, to gain control of web servers and launch Distributed Denial of Service (DDoS) attacks against critical infrastructure organizations.
In general, web site administrators should strive to follow patching instructions from their software providers. Additional security practices and guidance are made available by community efforts such as The Open Web Application Security Project (OWASP) and US-CERT's Technical Information Paper on Website Security.
Joomla! and other CMS packages regularly update their software as vulnerabilities are reported and patches are developed. The National Institute of Standards and Technology (NIST) National Vulnerability Database provides assessments of such vulnerabilities, accompanied by links to specific remediation activities for users and administrators to follow.
Specifically, administrators of Joomla! CMS servers should insure their installation includes the latest software version available (http://www.joomla.org/download.html). Additionally, administrators should consider guidance found under the Joomla! community security section and review the following best practices:
- To the extent possible, maintain moderator control for the creation of user accounts. This may limit the use of automated account creation tools and associated automated posting of malicious content or even site compromise.
- Ensure underlying server operating systems, services and software packages, especially third party plugins, are patched and up-to-date.
- Limit common security threat access by leveraging the security capabilities of the .htaccess file of the web server.
- Ensure accounts and files permissions are set properly, including changing the default administration user name and password.
- Enforce strong user password policy.
- Limit version number exposure of extension files by changing their default name to avoid remote automated scanning looking for specific version for which exploits may exist.
- Implement SSL Certificates and ensure that non-encrypted sessions fail rather than defaulting to insecure connection. This is especially important in payment processing extension.
- Remove unused services and associated files.
- Consider deployment of a server security monitoring solution including anti-virus. Additionally, security monitoring and logging including administrative login attempts should be considered.
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118