Content mismanagement systems

Our keynote speaker at this year’s ITC security event StormCloud, Graham Cluley has reported a massive, huge, gigantic, zero day vulnerability in the WordPress content management system, which has been patched under the cover of darkness. Read all about it here.

In the last three weeks ITC has been dealing with numerous incidents relating to Content Management Systems including the aforementioned WordPress and Drupal.

As far as we can make out the fact that vulnerabilities exist in unpatched CMS platforms, or even worse, zero days, offers the ideal way into an environment for the enthusiastic and dedicated hacker, who will weedle his/her way in, escalate privilege and then research and exploit anything possible on connected platforms.

Whatever the motive, it is highly unlikely that the business hosting the site in question will notice, or even that logs will trigger on security systems if a stealthy approach is used. The potential damage is immense.

We recommend that our clients hosting public facing web infrastructure are all over the scanning, patching and testing of the WWW estate using appropriate processes and tools.

It is imperative that you ensure that your operations or outsourcers stay on top of patching CMS systems and that you run regular web application testing, vulnerability scanning, penetration testing and protect your environment with a Web Application Firewall.

If you would like to talk about these issues with us, catch us soon whilst this is hot off the press, before complacency sets in at: [email protected] or 020 7517 3900.

Furthermore, we notice that Baroness Harding is stepping down from TalkTalk in May to be replaced by the big chief Sir Charles Dunstone, read the article here, we wish them both the very best and respectfully recommend that Security is at the foremost of both of their minds.