SECURITY OF WEB CONTENT MANAGEMENT SYSTEMS

Transcription

1 UNITE JOURNAL: VOL.1 (NO.1) / June 2014 / ISSN: / UDK: University journal of Information Technology and Economics Available online: System for submission: SECURITY OF WEB CONTENT MANAGEMENT SYSTEMS Fadil Novalić, Elvis Dautović, Mensura Kudumović Department of Computer Sciences, University of Novi Pazar, Dimitrija Tucovića bb, Novi Pazar, Serbia, fadilnovalic@uninp.edu.rs Article Info Article history: Received 19 Nov.2013 Received in revised form 19 Feb 2014 Keywords: Security, CMS, WCMS, E- learning, Cryptography, Session, Database. Abstract Modern CMS applications were designed and developed in such way that by using them all details of an Internet presentation can be controlled. Recently they have become very popular to use and thus it is necessary to work on security of data that they manage. This paper (research) deals with the management of web presentation contents, better known as CMS (Content Management Systems). They were designed with the purpose to enable users to create, edit and publish content such as text, graphics, audio and video by using information technologies. The aim of this paper is to provide a description of security procedures of systems for web content management which was initially designed by the author. Our WCMS was designed in PHP programming language and uses MySQL database. It enables users to create web pages with standard features such as text, images, audio and video recordings which are used in e-learning of standard school material. We considered the security of webpage content, user details and databases. We also provided a comparison of security of some previous content management systems and our own.besides simplicity of the system, we also worked on its security, thus it has been brought on a very high level using new technologies and algorithms for data encryption. INTRODUCTION The system for web presentation content management, which is the subject of this paper, was designed for the purposes of creating materials for e-learning via websites. The system is very easy to use and meets the requirements for creating simple websites. We particularly paid attention to the security of content that the system manages. We also provided a comparative analysis of some security aspects of our and other widely used web content management systems. Procedures which regulate security were described in detail with a display of their programming code. Security aspects dealt with in this paper are: security of data in databases, user details and website content. CONTENT MANAGEMENT SYSTEMS Content management systems are also known as CMS. They were designed to enable users to create, edit and publish content such as text, graphics, audio and video by using information technologies. These systems operate through two parts: one that is used to create and update content and the other delivered to users on the website. CMS creates the website from the content provided by website administrators and then displays it in a browser. This is why these systems are simple to use 37

2 and enable users with little knowledge of programming to manage them which further expands ways of using information technologies. Besides simplicity, there are other features of CMS such as: terms of using systems under license, installation, security, stability and performance, time needed to develop an Internet portal and its additional components, possibility to further configure used CMS applications, size and importance of community 1, means of input and text administration as well as simplicity of publishing on a developed Internet portal. (Petrovic, 2013). Modern CMS applications were designed and developed in such way that by using them all details of an Internet presentation can be controlled. This is why CMS applications are used for private Internet presentations, presentations of small and medium companies but also for presentations and portals of big businesses. (Kavecan, 2010). There are several classifications of CMS while the classification based on the type of content that the systems manage is most commonly used. Thus, there are: - Document Management Systems, - Digital Asset Management Systems, mainly used for multimedia files, - Web Content Management Systems, - Learning Content Management Systems (Milenkovic, 2010). WCMSs are used the most as they use all other types of content management and allow designing and presentation of content on the Internet. They consist of two parts: administrator and user part. Administrator part deals with website maintenance while user part displays the website content in web browsers. Website maintenance is done through modules which represent a simple way of adding content to the website and its further arrangement. Installation of WCMS on the server is necessary in order to publish content. Internet presentation content management is conditioned by the current rules of doing business. They require a fast and easy way to create and publish websites as well as prompt and successful updates performed mainly by administrators with little programming knowledge. This is exactly the main advantage of creating and maintaining websites using CMS in comparison to the traditional way which required skillful Internet programmers and developers. 1 We can consider a community as a group of people gathered around a specific programming product. Users as well as programmers and developers can discuss about the system and its functionality within the community. EXAMPLES OF WEB CONTENT MANAGEMENT SYSTEMS We are going to mention three WCMS: Joomla, WordPress and our own system. JOOMLA is an open-code CMS. It uses PHP programming language and MySQL database which are open source programming tools, i.e., they can be used and edited for free. PHP is a programming language used to write scripts which are used in the Internet and operate on servers. PHP code can be embedded into HTML pages and it is triggered when a user searches for a website. Web server interprets the PHP code embedded into the page and generates HTML code or some other forms of output data that the user can see on the website. MySQL is a very fast and robust system for management of relational databases (Welling, 2009). Joomla is available for free. It can be downloaded at Joomla website is made of several elements which together make a whole. There are three main elements of a website: content, templates and modules. Content is the main part, templates define how content is displayed while modules add dynamic functionality around the content. Content is organized through easy-to-manage sections which are called articles. A template is a set of rules about the way components and modules are set and displayed on the screen. Templates with added CMS databases also define, for example, how many columns there are and what color the titles are. Modules are short, functional blocks which are most commonly set around the main part of the website, for example, surveys, log in screen or latest news. (North, 2010). WORDPRESS is a WCMS adjusted to creating websites which deal with news, so-called blog-machine. Blog or web log is a website that consists of different posts. Posts on the home page are organized in such way that the latest text is located at the top. WordPress uses templates which allow defining the website look (Hussey, 2011). WordPress can be downloaded for free at or Our WCMS was designed in PHP programming language and uses MySQL database. It enables users to create web pages with standard features such as text, images, audio and video recording in a very simple way. It operates through administrator and user parts. User part is displayed in a web browser. Simplicity and website updates are its main advantages over Joomla and WordPress. However, it lacks in complexity of websites it creates. Nevertheless, due to the initial purpose of creating this WCMS, its simplicity cannot be 38

3 considered as a disadvantage. It possesses a high level of security as it does not use much data that could be potentially used for attacks on the system. SECURITY OF POPULAR WCMSS Joomla and WordPress were designed using PHP programming language which is optimized for web development and belongs to open source tools. The dark side to open source applications is that clients often choose them for their low cost of implementation, but often fail to realize that "free" means freedom to change, modify, and use the code. "Free" does not mean free from vulnerabilities, hackers, financial costs of support (Canavan, 2011). PHP programming language lapses which were the cause for security lapses of WCMSs developed using this tool can be summarized in the following five points: - User data Most common and most serious security vulnerabilities of PHP code are caused by an insufficient validation of user data. Many scripts take information that an online user inputs and process it in different ways. In order to protect the system from such attacks it is necessary to check all details provided by the user. - Environment variables When we input include() or require() command in PHP, the system will search for it in a separate library. For example, $LD_LIBRARY_PATH enviroment variable sets a path for dynamically inserted libraries. The script cannot manage the content of this environment variable at the same time it actually starts executing it. An attacker can change the path with a modified version of software that can be affected by a Trojan which is a simple way for starting malware code in the system. It is always good to redefine all environment variables that will be used in the script before using it. Even though this is not always possible, it can provide a higher level of trust towards the content of these variables. - External software External software with specified names and arguments in most cases cause damage to the system by executing random programming code. For example, system($userinput) command is not reliable since it enables users to execute random commands on servers. Solution to this problem lies in filtering user input before executing it so that the sign < is not allowed. - Databases Using PHP programming language leads to interactions among numerous different databases which can lead to security problems. Often PHP scripts use input information from web forms to create SQL strings. User can use semicolon to mark the end of the current command and deliver random command to the database. Script permissions can be adjusted to limit the damage. However, this does not remove the problem entirely as the user can further make strings for revealing sensitive information. If the user input is to be transferred to the database, it should be firstly checked and filtered (by recognizing described meta-signs). - URL address PHP language generalize the concept of database in order to include URL addresses used for various purposes. For example, command include (" will download the database from the given address and include it in the script. It is also possible to open distant database for reading in the same way. The threat lies in the fact that the distant address or the network is a danger itself. In both cases, an unknown and potentially dangerous code is loaded into the script by using include() command. fopen() command loaded from a distant address can be dangerous as well, but it all depends on the user permissions. If not utterly needed, this PHP function within php.ini should be disabled. (CARNet CERT, 2008). Based on its experience, Joomla community suggests different ways for improving WCMS Joomla security. - Changes of administrator account Jommla system administrator is the user who installed the system. In order to protect the administrator account it is necessary to change username while installing Joomla, for example, by choosing your nickname instead of the generic administrator username. - Regular updates Older versions of Joomla application and additional modules had security flaws and thus it is necessary to update to the current and secure version and perform regular updates of your Joomla site and all additional extensions as soon as newer versions become available. - Installation of extensions You should always download Joomla system plug-ins, modules and extensions from the official Joomla directory: These extensions were tested for security and other lapses. - Use of SEF component This component is used to adjust URL address for use in browsers and send all requests to index.php file. - Setting permissions It is necessary that attributes are set up to 644 (rw-r-r) for all files and as high as 755 (rwx-rx-rx) for directories. Joomla system configuration file configuration.php should be set to 600 in order to 39

4 fully secure the database from any kind of unauthorized access. - Security extensions Depending on which level of security you want to use, you can use any of the extensions from: In order to secure administrator part of the website, you should download the AdminExile plug-in: access-asecurity/site-security/login-protection/ Using this extension you can set security keys needed to access the administrator part of the website, IPv4/IPv6 White and Black list as well as Brute Force detection and notifications sent via about the possible attacks. - Removal of extensions and templates that are not used Joomla system extensions and templates that are not used may contain security lapses. Thus, it is recommended to remove these from the system (DreamWeb, 2013). Dream Technologies Group gave recommendations how to secure WORDPRESS websites: - Changes of administrator account It is strongly recommended to change the default administrator name into something else. - Protection from brute-force and other threats In order to protect your website from brute-force you should install Limit Login Attempts plug-in that is available at This plug-in limits the number of false user authorization attempts and sends an about the incident to the administrator. Another option is the Better WordPress Security plug-in which has additional security forms. It is available at better-wp-security/. - Regular updates It is also important to regularly update WordPress along with its themes and plug-ins. Every plug-in and theme not used on the website must be deleted from the server as such plug-ins and themes pose a security risk to your website and hosting account. - Setting permissions Attributes for files should be set up to 644 (rw-r-r) and for directories up to 755 (rwxrx-rx). Attributes of WordPress configuration file wpconfig.php should be set to 600 and thus completely secure it on the server. - Other recommendations Depending on the method of installation of WordPress it is possible to have install.php file in wp-admin folder on the server. Remove it as it may pose a security lapse. If you do not want to have enabled free registration of new users, you can turn off the Anyone can register option within Settings -> General. In order to forbid public access to the content of WordPress folder put an empty index.html file into the following folders on the server (if there are no index files already): wp-includes wp-content wp-content/plugins wp-content/themes wp-content/uploads (DreamWeb, 2013). SECURITY OF OUR WCMS SYSTEM CMSs are popular and functional systems as web developers are turning CMS into a growing Web System day by day. Besides all good features of CMSs, we should always pay attention to securing them. Many of those systems are open source or have been created using open source software which is the case with our system. Our system represents websites designed using PHP and MySQL databases. Security of CMSs is becoming a burden for both databases they use and their users. It is all about the privacy of data within these systems, whether it is secure or not. When we talk about security on the Internet in most cases we talk about passwords as it is the case with CMSs. The encryption of passwords that our system uses is not used by all systems today, not used by Joomla and WordPress as they use hash256-bits encryption. Better solution to the problem is combination of hash and salt passwords. It uses bcrypt algorithm for password_default() which constant is set to change over time. Salt is a solution which comes together with hash, i.e. it manually secures salt while hashing the password. This means that the salt would be automatically generated. If salt is exempted and not generated, it would however be generated by password_hash() every time when hash is generated. Hash transforms data (either small or huge amount) into a relatively shortened piece of data. Hashing is best explained on the example of finger prints as every hash has a specific combination of letters and numbers. This is the code that we use in our WCMS to generate hash and salt passwords together: public static function make($string, $salt = '') { return hash('sha256', $string. $salt); 40

5 public static function salt($velicina) { return mcrypt_create_iv($velicina); public static function unique() { return self::make(uniqid()); User sessions are also very important when it comes to security. Our system uses cookies to store data. They store series of data which we can use to control every registered user. This is how we enhanced the security of WCMS. When a user accesses the website, he is assigned a unique number, so-called session_id. Session_id is stored using cookies by the user. The system automatically checks whether the session has started or is about to every time the registered user accesses the website. Cookies are often used to identify the user. It is a database that the server creates on user s computer when the user accesses the website. Using data stored in the cookie, the server will enable user to access the website again while his session is in progress, i.e. until he signs out. Our system uses the option for automatic signing out after 60 minutes of user inactivity. When this process is finished, the cookie is destroyed. In order to achieve a very high level of security and enable users to control all of their data and feel secure from hackers or some spam scripts we have upgraded all new technologies of our system to support PHP 5.5 version. Some Joomla and WordPress versions use older versions of PHP which do not have hash 256-bits feature. CONCLUSION WCMSs are tools which enable easier design and maintenance of websites that are used for different purposes, from blogs to business websites of huge companies. Recently they have become very popular so it is necessary to work on security of data they operate with. More so as most of them were created in PHP and use MySQL databases which make them open source as well. The best way to provide good protection for a system is to follow new technologies and use latest security extensions. WCMSs can be created to meet specific user needs as it is the case with our system which purpose is to create simple websites for e- learning. Our WCMS was created in PHP programming language and uses MySQL database. It enables users to create simple websites which contain standard elements: text, images, audio and video recordings for the purposes of e-learning of standard school material. When we talk about the Internet security, security of websites, user details and databases, we usually think about passwords. This is also the case with CMSs. Password encryption that our system uses is not used by all systems today, not used by Joomla or WordPress. Our system uses cookies for storage of user sessions. They store series of data which we can use to control every registered user. This is how we enhanced the security of WCMS. We have upgraded all new technologies of our system to support PHP 5.5 version. Some Joomla and WordPress versions use older versions of PHP which do not have hash 256-bits feature. Besides simplicity of the system, we have worked on its security and it has been raised to a high level using new technologies and algorithms for data encryption. REFERENCES Canavan, Tom (2011) CMS Security Handbook: The Comprehensive Guide for WordPress, Joomla, Drupal, and Plone. Wiley Publishing,Inc. Indianapolis, Indiana. CARNet CERT, LS&S (2008) CCERT-PUBDOC CMS sustavi i sigurnost, DreamWeb (2013), Bezbednost Joomla CMS-a, ednost-joomla-cms-a, Accessed 25 January DreamWeb (2013), Bezbednost WordPress sajta, ednost/bezbednost-wordpress-sajta, Accessed 25 January Hussey T. (2011) Naučite WordPress, Mikro knjiga, Beograd Kavečan, Nikola (2010) Analiza različitih sistema za upravljanje sadržajem internet prezentacije. Konferencija E- trgovina. Milenković, D. i dr (2010) Sistem upravljanja sadržajem pojam i karakteristike, Vojnotehnički glasnik/military Technical Courier, Vol. 58 (No. 1), pp North, B. M. (2010) Joomla! 1.5: priručnik za korisnike. Mikro knjiga, Beograd. Petrović, Đorđe (2013) Analiza uticaja AES kriptografskog algoritma na performanse različitih sistema za upravljanje bazom podataka. Master rad, Univezitet Singidunum, Beograd. Welling L, Thomson L (2009) PHP i MySQL razvoj aplikacija za Web, Mikro knjiga, Beograd. 41