In as little as four hours, the bad guys can reverse engineer a software patch for an open-source content management system (CMS) and build an exploit capable of turning millions of websites into spammers, malware hosts or DDoS attackers.
“There’s just not enough time for normal site owners to apply the updates,” said David Jardin, a member of the German association CMS Garden, which promotes the use of open source CMS software including Drupal, Joomla, WordPress and others.
To help ordinary users patch more quickly, CMS Garden is participating in a government-funded project, Secure Websites and Content Management Systems (Siwecos), to make the websites of SMEs more secure.
Siwecos is a three-pronged effort, Jardin said.
Project participants including researchers at the University of Bochum are building a scanning engine that will give business owners feedback about potential security problems on their website, such as SSL misconfiguration or vulnerabilities to cross-site scripting attacks.
CMS Garden is contributing the second part: A series of plugins for different open-source CMSes that will provide that feedback from within the CMS management interface, where site owners can act on it immediately.
The third part, and the one Jardin is most excited about, is a service that will help web hosting companies filter out attacks before they reach vulnerable CMS installations.
Jardin pitched the project to a June meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG, an organization that aims to fight abuse of internet infrastructure).
There’s no inherent insecurity with the systems CMS Garden promotes, as Jardin sees it. The problem is that the site owners using them just don’t have time to keep their systems up to date. Better, then, to take them out of the loop.
“I want to remove the site owners from the chain of responsibility by talking to the web host directly,” he said.
He’s not expecting web hosts to patch their customers CMSes for them. Instead, at the same time as the patches go out, he’s offering the web hosts ready-made filter rules for their web application firewalls, designed to block the same exploits as the patches.
“They can apply it right away and work around the end user, giving them way more time to apply the patch,” he said. “We’ve been doing this on a small scale for quite some time already for the Joomla project and a number of German web hosts, with tremendous effect.”
In one recent incident, a German hosting company that applied one of the filters blocked 150,000 requests per hour in the first day after a Joomla patch was released.
Web hosts could create such filters for themselves, but that would involve them reverse-engineering the patch too. It’s quicker and safer to leave it to groups like CMS Garden, said Jardin.
“For the CMS community it’s not a big deal because we know our systems pretty well. We can figure out a rule that doesn’t have many side effects, no false positives, and for the web hosting company it’s free of charge and safe.”
While the Siwecos project is funded by the German government and aimed primarily at German SMEs, internet traffic knows no boundaries.
“Even German companies host their sites all over the globe,” said Jardin. “We are talking to pretty much everyone so it’s more a global program.”
The Siwecos scanning system will use a modular API. It’s in a closed beta test for now, but its developers expect to open it up by September, when they will publish the first plugins for it. Modules under development include one for scanning HTTP headers relevant to security, such as those for Content Security Policy.
“The CSP headers are quite relevant because they can prevent exploits from working even if a site has been infected,” Jardin said. There will also be scanners to validate SSL and TLS certifcates in the server settings, and to check for malware in HTML code.
Jardin hopes to launch the web host service in September too. It will begin with a private mailing list so as to avoid giving bad actors additional clues for exploiting CMSes before they can be patched or otherwise protected.
“If you take a look at the firewall rules it’s going to be rather easy for an experienced attacker to build an exploit. That’s why we want to limit the circle of recipients.”
The web app firewall element of Siwecos has some overlap with work WordPress is doing with some web hosts. Siwecos, though, is working with multiple CMS projects and will be open to more web hosts, he said. “The beauty of our project is that it’s one central place for information about all CMSes.”
Commercial web application firewall vendors have nothing to fear from the project, and much to gain, according to Jardin.
“They don’t know our applications and they don’t have any up-front information about security issues. It’s going to take them at least 24 to 48 hours until they have the rule set in place that we can provide right from the beginning. That’s the thing that’s completely new.”