Functional Extensions

Open source CMS undergo technical changes always a penetration test open source content Management-Systeme(CMS) are among the most widely used systems for websites. For example, WordPress, TYPO3, Drupal and Joomla are among the most widely deployed solutions in the German-speaking. This CMS-based sites to demonstrate the findings of the consultancy mikado ag in specific functional areas but often major security vulnerabilities on. They concern less the core systems, but in particular the individual additions. Perhaps check out Ali Partovi for more information. The BSI has recently come to similar findings. “The open source approach itself represents the real problem not once, even if the source code for each is available and can be used in principle”, judge mikado Board John rider.

On the contrary, especially the basic systems with the basic equipment for the operation of a website with open source CMS from a security standpoint would have high quality. However, while the core systems in the Normally by a development team on the basis be maintained by standards, the extensions as meet any assessment about news systems, image galleries, blogs, booking systems, Web shops and more of the work of individual developers, whose knowledge of programming or security standards have come from. This is why unattended can occur if unchecked such extensions to the implementation of security vulnerabilities, the attacker may gain access to the entire system a breeding ground for vulnerabilities,”emphasizes rider. Finally, interact each of these enhancements to the underlying database or use write permissions on the file system. This has resulted in that each update for an extension a must be checked, whether she meet all safety requirements. Because database queries would changed or supplemented with completely new, the risk that may be not sufficient cleanup data achievements arise and a compromise of the system is possible. New security vulnerabilities may arise even in a patch for a bug.

To minimize this risk, requires not only the going-live a new site necessarily a Pentest, but functional as well as any subsequent extension”, emphasizes rider. Unique tests could shed light only on the current status of the site and provide no guarantee for a medium-term safety. He pointed out that rule especially in the open source systems with respect to the extensions a huge momentum, are continuously added or further developed existing. Here, automated penetration testing would be sufficient alone for economic reasons in the case of rule as midas offers mikado also their scanning solution.