Every year, millions of websites across the world fall victim to malware attacks that are designed to gain access to the site’s backend without the administrator’s knowledge in order to steal sensitive data or cause damage, usually for financial gain. This year, cyberattacks have been on the rise during the pandemic, leaving businesses to wonder whether or not things will settle down whenever the COVID-19 situation begins to wane, or if this is the next normal for the indefinite future.
Attacks targeting popular content management system (CMS) platforms like WordPress, Joomla, Drupal, and noneCMS have risen in 2020. In fact, according to the 2020 Global Threat Intelligence Report from Dimension Data, these CMS platforms alone were the target of approximately 20% of all observed attacks globally. SQL injection vulnerability in Joomla was found to be the most commonly exploited by attackers.
In this article, we’ll take a look at security vulnerabilities in the context of CMS platforms and the implications of SQL injection attacks on your website.
How CMS vulnerabilities have evolved over the years
CMS vulnerabilities affect your website’s security as well as the content management system you use. Some of the common reasons for CMS vulnerabilities include privilege escalation exploits, social engineering attacks, and cross-site scripting.
- Privilege escalation exploits involve making use of security flaws, known bugs, or a lack of configuration oversight in an application or an operating system to gain full access to resources.
- Social engineering attacks on CMSs include a wide variety of malicious activities that are used to bypass technical measures implemented to protect the process of content management.
- Cross-site scripting (XSS) utilizes security flaws in client-side execution environments as well as vulnerabilities in the backend, such as the lack of verification of content and parameters to disclose sensitive data, allowing attackers to take over the system.
Most security flaws linked to CMS platforms aren’t limited to web content management but present in server environments, web technologies, and protocols.
Cross-site scripting targets the client environment and makes use of the server side’s low parameter and content sanitization. As a result, the attacker can inject malicious code and arbitrary commands into the pages users view.
This security flaw differs from code execution vulnerabilities, since the injected code is run on the client-server and not on the server-side. This delays the technical impact of the threat. However, when executed effectively, it can result in serious data and privacy violations such as the manipulation of databases and stored variables, including the manipulation of the actual content served.
This type of web application security vulnerability commonly targets popular CMS platforms, as they rely heavily on the internet in their technical architecture. Alternatively, this threat can be easily neutralized by disabling the client-side execution environment.
Open-source CMSs such as WordPress and Drupal, which rely heavily on the client-side environment, are more prone to client-side attacks as compared to traditional corporate-based frameworks that exhibit server-side remote vulnerabilities. The growth of third-party CMS plugins has also contributed to cross-site scripting becoming a top security vulnerability for CMS platforms.
Arbitrary remote code execution
Sending malicious commands to a web application can result in disclosure of users’ private data, and the attacker can gain access to a user’s computer. This method of injecting code within the same local execution infrastructure is relatively easy when compared to remote injection, which requires more specialized tools and skills.
Here, the remote hacker only needs a security flaw that offers a small window to send commands to the remote execution environment, enabling the malicious code to run without any evaluation.
As a result, attackers can create a remote entrance to reach the target environment, and oftentimes the administrator has no knowledge of the system being compromised.
Most of the time, attackers make use of remote code execution security flaws that are on the web surface or within different narrow-use and specific ports and protocols. When a CMS is attacked, the remote code execution flaw often results from a connected platform such as the .NET environment, PHP scripting language, or file-sharing service or database that has remote code execution vulnerabilities.
Instead of targeting the remote infrastructure, sometimes threat actors change their tactics by initiating remote code execution attacks within the client environment. For example, a malicious email may have an attachment containing a specially crafted infected file. The file containing the malicious code is executed on the client’s infrastructure. It can, for example, enable the attacker to install programs or create new accounts with full user rights.
In both types of attacks, the malicious code can be the same. However, the method of delivery is different. This is why it’s vital for CMS admins to secure their platforms and not allow attackers to gain entry to the end-users’ systems. As of 2017, arbitrary remote code execution has emerged as a top CMS security vulnerability. Several security flaws have been detected in Magento’s CMS, including arbitrary code execution.
SQL injection and the CMS
These days, most CMS platforms have an underlying SQL database backend. These backend databases implement application-specific authentication instead of user-level credentials. As a result, when malicious code is introduced to a web layer in the form of an SQL injection, a breach in data security affects the entire database.
As with other code injection threats, an SQL injection is able to send arbitrary SQL code straight to the database layer. In most cases, a lack of parameter sanitization is responsible for this type of security vulnerability, as it allows the threat actor to send direct database commands and modify the database directly.
SQL injections have been around for a long time now still, they remain one of the most common CMS security flaws. With time, users have discovered new injection points. Performing parameter value sanitization for input value processing is a common way to stop SQL injection attacks.
Some of the most popular CMS platforms that are known to have SQL injection vulnerabilities include WordPress, Joomla and Drupal. According to Sucuri’s 2019 Website Threat Research Report, over 2 million SQL injection attack attempts were blocked by the Sucuri Firewall, accounting for 1.55% of all blocked attack attempts.
Consequences of SQL injections on CMS platforms
The whole point of a CMS platform is to connect with a database that stores content, including both structured information as well as data relating to registered users with different roles.
According to Sonicwall, there has been a considerable rise in web app attacks executed via SQL injection. Web app attacks, which are commonly executed via SQL injection, are down from last year but have been trending dangerously upward since February, with 2.1 million attacks rising steadily to 4.9 million attacks in June.
In an SQL injection attack, the attacker sends SQL input into an entry field for execution or to gain access to a web application without the owner’s permission or knowledge. This allows the malicious user to view, insert, modify, or delete data stored in the web application’s database tables. Most attackers use SQL injections to exploit known security vulnerabilities in plugins and applications like PHP.
Here’s an example of how an SQL injection works. Suppose a web application with text input asks the user to enter their user id for identification:
SELECT * FROM Users WHERE UserId = " + txtUserId
The input entered by the user “202 or 1=1” where 202 is the wrong user id. This changes the server code as follows:
SELECT * FROM Users WHERE UserId = 202 or 1=1
Since the condition 1=1 always holds true, every entry in the Users table of the database is returned by this statement. Now, if your code was written to select the first row in SQL, this could potentially compromise data stored in multiple database tables.
Let’s take a look at some of the consequences of SQL injection attacks in CMS platforms:
- No need for authentication for a successful login: The threat actor isn’t asked for identification before logging into your site, giving open access to the site’s resources.
- Setting up redirects: This involves the attacker placing malicious redirecting links on your site pages, which direct your site’s visitors to websites where they get scammed or their system gets infected with malware.
- Spamming: Attackers use spamming techniques to monetize fraudulent products on your site. They may infect your applications by allowing them to directly communicate with your site’s users.
- DDoS attacks: Attackers use DDoS attacks to disrupt your website services temporarily or indefinitely, resulting in serious financial damages.
There are various ways you can prevent injection attacks. The most common measures include:
- Deploying web application security: A web application firewall (WAF) is a must-have security solution for any live website or application today. A WAF prevents malicious traffic and processes from interacting with your CMS platform.
- Use input validation: Most popular CMS platforms already check the data being submitted through fields and forms. But in case you will be doing customizations that involve adding fields, make sure you have scripts that screens all data sent by users.
- Secure access to your database. It’s best to create a unique SQL user with a strong password for each of your CMS installations. Avoid providing root level access by limiting the privileges of the user. WordPress, for example, can work with just SELECT, INSERT, UPDATE, CREATE, DELETE, DROP, and ALTER privileges.
- Keep everything updated. CMS platform and plugin developers also maintain their code bases for security. Many of their releases are meant to address bugs and vulnerabilities. If your CMS platform notifies you of an update, check if these include bug and security fixes. Update accordingly.
Millions of websites fall victim to malware attacks each year and result in huge financial losses. However, website owners can successfully prevent or minimize the impact of such attacks by proactively fixing vulnerabilities (such as SQL injection vulnerabilities) in their CMS.
There are several measures you can take to prevent SQL injection attacks but they should be implemented as part of a cohesive strategy. By deploying the right security tools and continuously testing your website and fixing any apparent flaws, you can stay ahead of attackers who try to exploit CMS vulnerabilities.