Sunday, October 05, 2014
White hat hacker warns CMS plugins are leaving the security door wide open
As well as being CEO of penetration testing specialists High-Tech Bridge, Ilia Kolochenko is also perhaps unsurprisingly a white hat hacker of some repute. Equally unsurprising is the fact that he has warned that security vulnerabilities in leading CMS platforms such as Drupal, Joomla and WordPress are effectively leaving the security door wide open for hackers to walk through. Kolochenko refers to the threat posed by old plugins, passwords and extensions as being the 'Achilles heel of popular CMS' and for good reason. High-Tech Bridge regularly tests popular CMSs via the ImmuniWeb online penetration testing service and equally regularly, sadly, discovers vulnerabilities therein. It follows a strategy of responsible disclosure, which I'm all in favour of, whereby any vulnerabilities are reported to the vendor with immediate effect but no public disclosure (other than a broad statement without exploitable details) is made for three weeks. This gives the vendor ample time to do something about it, and should encourage those who are a bit slow off the mark to focus attention on a fix. All without alerting the bad guys as to how to create code to exploit the hole.