Comparison of common open source CMS systems for security vulnerabilities
28/12/2012
The UK Government has recently been encouraging use of open source code, partly as a way of avoiding the very large license fees for .NET applications. In terms of operating systems this makes a lot of sense and systems developed and running under the LINUX operating systems will cost less to run that those on a Microsoft .NET architecture.
This has encouraged a rush back to using open source code for CMS or shopping cart systems. There are risks here as the quality of some of this code is poor and security vulnerabilities are common. This means if you have a website on an open source CMS you must ensure essential security updates are applied regularly. And this can be many times per year, so expect to pay for several hours maintenance per month.
A quick survey of the common CMS systems shows the following insecurities and updates in 2012:
Joomla: we counted 10 security upgrades
Drupal: 4 major security upgrades – some very critical
Wordpress: ‘just’ 3 security upgrades of moderate severity.
The above confirm's our choice of WordPress as open source CMS of choice when security is an issue.
Below gives more detail on the open source CMS vulnerabilities and security updates issues in 2012
Joomla
Joomla 2.5 (release in February 2012) was the preferred version until October 2012 when Joomla 3 was released. This, as would be expected of a first release had some serious security issues and version 3.0.1 was quickly released to deal with a XSS vulnerability in a language search. Within a month the next security patch was releases (version 3.0.2) to deal with “clickjacking”.
The similar security issues were in the older 2.5 version of Joomla. These (by September 2012) were at version 2.5.7 – so seven significant upgrades. In general there is an upgrade every month or every other month.
Drupal
Drupal produced four significant security updates in 2012. These were classed as moderately critical (December 2012), highly critical (October 2012), critical (May 2012) and moderately critical (February 2012). All of these were for multiple vulnerabilities and made the system insecure with access bypass .The last two in 2012 were particularly nasty as hackers could execute arbitrary PHP code and access information. It is essential that any website with any form of data stored has these last two critical Drupal updates installed.
Wordpress
Wordpress produced three significant security updates in 2012. The first occurred right at the start of the year in January 2012 and fixed a cross site scripting vulnerability.
In June another security update dealt with potential information disclosure which made it essential for any site with users data on it to install. This upgrade started to tackle some security issues on multisite installs. The third release in September 2012 fixed this more fully along with various other vulnerabilities.
Key Message
The key message is if you have an open source CMS ensure whoever is supporting this is undertaking regular security updates.