Wordpress users have been encouraged to update to to the latest version of Wordpress, currently at 2.8.4. It appears there is a nasty worm going around attacking Wordpress sites.

No matter which CMS you're using, I know there is a certain segment of you that will ignore upgrading your site's software to a more secure version. I can understand why some of you might not want to update to the latest feature release of a CMS as it could break obsolescent features. However, I'll never understand why some of you won't upgrade to the latest version of a software package that addresses security vulnerabilities. If you value your site then you need to also value keeping your site updated with the most secure version of your CMS.

Wordpress users better not respond that it's too hard to keep their CMS updated. In case you didn't know, it only takes one click to upgrade your Wordpress site automatically.

It's not too often that you see notices from the TYPO3 group on security issues related to their CMS framework. That's why their notice last week about various security issues with several third party TYPO3 extensions caught my attention.

Several vulnerabilities have been found in the following third party TYPO3 extensions:

• Virtual Civil Services (civserv)
• Modern Guestbook / Commenting system (ve_guestbook)
• CWT Community (cwt_community)
• FrontEnd MP3 Player (fe_mp3player)
• Search In Tables (fesearchintable)
• Content Search (gst_contentsearch)
• Multilingual Alias (multilingual_alias)
• Myth Repository (myth_repository)
• References database (t3references)

Further information on the security issues can be found at TYPO3.org.

Tim Wilson, the site editor for Dark Reading, recently posted an article about recent at the AARP.org website.  In the colorfully titled article, "Porn Operators Hijack Pages on AARP Website", Wilson interviews Jeremy Yoder of MX Logic about why AARP.org's site was vulnerable.  In brief, the explanation given is that the site deployed a number of Web 2.0 features including user profile submissions which the site didn't properly filter out JavaScript redirected code.  Yoder than explains that the site's security or lack of security was due to it using a custom or in-house built content management system.

The AARP site is particularly susceptible to this sort of multi-pronged attack because it appears to be driven by a home-grown content management system, Yoder says. "It appears to be a custom system that's missing some baseline-level security capabilities. This site is accepting JavaScript code submissions, which are something that most off-the-shelf content management systems would have no trouble blocking."

AARP may have fallen into the trap that snares many sites when they seek to add Web 2.0-type capabilities, Yoder explains. "They choose their content management system based on its features, without giving much thought to its security capabilities," he says. "That can be a big mistake, especially if you are a site with a lot of visibility that might make a good target, like AARP."

Organizations that seek to build collaborative capabilities into their Websites should consider using systems that have been vetted by others, rather than a custom system, Yoder advises. "An open source solution has the benefit of a community behind it," he says. "WordPress has absorbed a lot of attacks, but now it's a lot stronger because of it."

This article brings back a lot of memories on past discussions we have had here at CMS Report.  A couple years ago, I posted an article that focued on a SitePoint article titled, I Have Never Met a Boxed CMS I Like.  The SitePoint article argued that a custom CMS would be a better option due to the fact that boxed CMS, whether open source or propriety, are too generic to be of value.  I argued that boxed systems cost less in both money and time, yet offered you more features than a custom CMS could provide.  After my post, a number of people commented for and against boxed systems.  Ironically, no one really talked about whether custom or in-house CMS were less or more secure than boxed systems.

In the world of IT, two years can make quite a difference.  It was not long ago that most Web applications would promote their security as an added feature to their product.  However, I think as time has moved on we realize that a secure site is not a feature of a CMS, but a basic requirement of the application.  In this respect, I can't help but think Yoder is correct that boxed CMS, whether open source or I'll argue a well-supported propriety package, is likely to be more secure than a custom CMS.  I think Sepeck's comment still holds true to why an "out of the box" CMS is the way to go.

If you want to 'write your own' then you are going to want to be locking your customer into you as a solution. I have met more developers convinced that they knew more then 'those other guys' about 'everything important' that end up leaving the customer with a virtually unsupportable system or so completely reliant on them, that when they leave, the customer has to spend as much or more on fixing or upgrading their sites later.

The 'out of the box' systems exist to fill a need because no one person (or small team for that matter) can be an expert on everything (web, rss, mail, design, information architecture). No one person should be able to lock a customer into them as a solution. That doesn't build a healthy eco-system for their customers or themselves.

The more eyes you have on the code behind the CMS, the more likely there is for someone to catch a potential security vulnerability.  When someone does find a way to hack into your system, the more hands you have working on the code the quicker the issue will likely be resolved to provide a security patch.  It isn't always true that boxed systems are more secure than a custom in-house CMS, but I'll argue that the odds are in the favor of the boxed CMS.

I am saddened by continued reports that support for Mozilla's email client, Thunderbird, continues to diminish. From DesktopLinux:

The Mozilla Foundation's press release focused on the Firefox 2.12 security fixes.
The Foundation also reported, though, in its MFSA (Mozilla Foundation
Security Advisory), that these same bugs had been fixed in the
fictitious Thunderbird 2.12...

...Still, it is upsetting that
Mozilla reports that these problems have been fixed in a version of
Thunderbird that doesn't exist. The latest version of Thunderbird is
2.09.

Mitchell Baker posted last September the transfer of Thunderbird from Mozilla to a yet to be seen Mailco organization. Just as DesktopLinux mentioned in their article, I've seen little information about what we can with regards to Thunderbird's future. Perhaps, I'm just not looking in the wrong places?

Update for Elgg is available to help fix a potential security vulnerability.

A security issue was detected in Elgg versions 0.8 and 0.7 which could potentially lead to a site compromise. Users are encouraged to update their system to release 0.8.1, users using version 0.7 can apply a patch, both available for immediate download from sourceforge.

Original Announcement

A couple days ago, Drupal 4.7.8 and 5.3 were released.  Drupal 5.3 is a maintenance release that addresses five security vulnerabilities as well as a number of bug fixes.  For additional information and download links, please see the official announcement at Drupal.org.

CMSReport.com, which uses the Drupal CMS, upgraded from Drupal 5.2 to Drupal 5.3 late Thursday night.  No problems, no worries.

"The flaw can be exploited if the Mac user has enabled an option in Safari to "open safe files after downloading," Secunia said in an advisory Thursday. The security company has rated the problem 'highly critical'."

"Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS)."

Complete Story

The November 20, 2006 article "Spam surge linked to hackers" from eWeeks is a must read. Unfortunately, I can't find the actual online version of the article in print. I did however find a variant of the article posted as Pump and dump spam surge linked to Russian Bot Herders.

The article discusses the increasing complexity hackers are using botnets running on tens of thousands of hijacked Windows computers to spread spam. The article focuses on the research by SecureWorks regarding the malware trojan called Troj/SpamThru. Some scary unique features have been identified with this trojan including:

• Peer to Peer Communication (hackers can have control without a server)
• Anti-Virus Scanning (Uses anti-virus software to scan against rivals)
• Template-based spam
• Almost half of the PCs infected are PCs with Windows XP SP2 installed (outside of Vista, Microsoft's most secure Windows system to date).

Do I bring this up because I don't like Microsoft products? Not at all and in fact as I write this post I'm using a Windows XP system. My point is that if you plan on using Windows XP do all of us a favor and be sure you've installed on your PC the latest software updates and security patches available.

A new version of Tikiwiki has been released, Tikiwiki version 1.9.6. This version of Tikiwiki fixes the usual list of bugs and security vulnerabilities that come with the usual point releases. However, 1.9.6 also comes with some new features and enhancements including:

• Search: Batch batch_refresh_indexes_tikisearch.php
• Wiki poll: Highlight in wiki rating box the user rating
• Tracker: can choose export field type: visible/searchable/all
• added a notification when attachement is added to a watched wiki page
• various updates on Catalan language
• install process can be localized to other languages

Those interested in Tikiwiki will want to check out the original wiki page that not only includes a list of the above features, but also a list of bug fixes and security enhancements. Tikiwiki 1.9.6 is available for download at SourceForge.net.

"Team Mambo has just released Security Patch 2 for Mambo version 4.5.4. This patch fixes a number of security vulnerabilities and and provides some additional hardening of the application."

Complete Story

"The XOOPS development team is pleased to announce the release of XOOPS 2.0.15.
This is mainly a maintenance release containing various bugfixes. It also provides security enhancements and thus all 2.0.x users are strongly advised to upgrade.

You can download it from the 2.0.15 release notes page."

Complete Story

Upgrading your existing Drupal sites is strongly recommended.

Download

• Drupal 4.7.3 can be downloaded from http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.3.tar.gz.
• Drupal 4.6.9 can be downloaded from http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.9.tar.gz."