Sorry to cross post if any of you are on the comp-sec list, but I think this was timely in light of the recent Wordpress presentations and discussion.

---------- Forwarded message ----------
From: Alan Amesbury <[log in to unmask]>
Date: Tue, Mar 27, 2012 at 8:01 PM
Subject: Wordpress, Joomla, and similar CMSes
To: [log in to unmask]

OITSEC has been seeing reports of Wordpress and other sites being compromised and reconfigured to serve up exploit code to unsuspecting site visitors.  In some cases, compromised sites were configured in such a way that they only served exploit code to certain clients, e.g., responses were based on things like the client's browser identification string.  This in itself is not new, nor are weaknesses in Wordpress.

However, in one case, Wordpress and the platform on which it was running was completely patched and had no known vulnerabilities.  What apparently happened was the admins were very diligent in ensuring the OS, web server, and Wordpress were completely patched... but neglected to check for vulnerable plug-ins/add-ons.  If you're running a similar CMS that allows plug-ins, those plug-ins needed to be added to your list of software-patched-we-look-for.

Another weakness in some of the CMSes is themes.  Code included in themes added to the CMS may not be robust, and may introduce interesting "features" that are later used by someone else to help you "maintain" your server.

Bottom line:  If you're running a CMS, please be careful to check that *all* the sources for features in or added to the CMS are proactively securing their code.

Alan Amesbury
OIT Security and Assurance
University of Minnesota

Tony Thomas
Web Developer
University of Minnesota
Student Unions & Activities
300 Washington Ave SE, Ste 500
Minneapolis MN 55455

Direct: 612-626-9820
Fax:     612-624-7256