WEBSTANDARDS Archives

March 2012

WEBSTANDARDS@LISTS.UMN.EDU

Options: Use Monospaced Font
Show HTML Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Content-Type:
multipart/alternative; boundary=bcaec54fbbba66173504bc4ec66e
Sender:
UofMN Web Standards <[log in to unmask]>
Subject:
From:
Tony Thomas <[log in to unmask]>
Date:
Wed, 28 Mar 2012 09:53:48 -0500
In-Reply-To:
MIME-Version:
1.0
Reply-To:
UofMN Web Standards <[log in to unmask]>
Parts/Attachments:
text/plain (1841 bytes) , text/html (2616 bytes)
Sorry to cross post if any of you are on the comp-sec list, but I think
this was timely in light of the recent Wordpress presentations and
discussion.

---------- Forwarded message ----------
From: Alan Amesbury <[log in to unmask]>
Date: Tue, Mar 27, 2012 at 8:01 PM
Subject: Wordpress, Joomla, and similar CMSes
To: [log in to unmask]


OITSEC has been seeing reports of Wordpress and other sites being
compromised and reconfigured to serve up exploit code to unsuspecting site
visitors.  In some cases, compromised sites were configured in such a way
that they only served exploit code to certain clients, e.g., responses were
based on things like the client's browser identification string.  This in
itself is not new, nor are weaknesses in Wordpress.

However, in one case, Wordpress and the platform on which it was running
was completely patched and had no known vulnerabilities.  What apparently
happened was the admins were very diligent in ensuring the OS, web server,
and Wordpress were completely patched... but neglected to check for
vulnerable plug-ins/add-ons.  If you're running a similar CMS that allows
plug-ins, those plug-ins needed to be added to your list of
software-patched-we-look-for.

Another weakness in some of the CMSes is themes.  Code included in themes
added to the CMS may not be robust, and may introduce interesting
"features" that are later used by someone else to help you "maintain" your
server.

Bottom line:  If you're running a CMS, please be careful to check that
*all* the sources for features in or added to the CMS are proactively
securing their code.


-- 
Alan Amesbury
OIT Security and Assurance
University of Minnesota



-- 
Tony Thomas
Web Developer
University of Minnesota
Student Unions & Activities
300 Washington Ave SE, Ste 500
Minneapolis MN 55455

Direct: 612-626-9820
Fax:     612-624-7256
sua.umn.edu <http://www.sua.umn.edu>


ATOM RSS1 RSS2