While a routine research on net today I went to a security advisory site. I was reminded by this website that how easy it is, for script kiddies to hack into most of the outdated open source apps. It’s not a new thing, but I feel importance of sharing my experience as a web developer. For instance, this website here has got a special section for web apps featuring latest vulnerabilities and potential security compromises: http://milw0rm.com/webapps.php
If one start browsing through it, will easily find everything from File disclosure attacks to SQL injections. And it’s just not that, in most of the reported security issues, people have even published a test script or attacker code which can actually run from anyone’s computer increasing number of possible attackers who are not just aware of the flaw, but are provided with the real tools now, to do what they want with a victim website. I’ve seen many websites went down in huge amount when such vulnerabilities are out in public. One of the biggest vulnerabilities in phpBB, an open source forum, was released few years back. It allowed any attacker to gain shell access to the victim website, and yes, I did tried it on my server before fixing the code. I seen like hundreds of websites went down in a matter of few hours. Later, the flaw was such a big hit to phpBB, that it was named as a worm. You can see BBC news article for stats etc. on it.
My clients ask me, ‘this new open source technology is cool; we would like to go with it. What do you think?’ I often stop and think for a second. Sometimes, I also try to explain them about positive and negative aspects related to it. I know decision to use open source technology will save time and budget anyway, so I keep decision on them most of the time. But I know it’s not as safe as a custom-made app, I believe using something which is accessible to thousands of people comes with its own disadvantages (and advantages too, for that matter).
So should you really stop using Wordpress or Joomla or any other open source tech?
No, and Yes. First, you got to accept a thing. By choosing an open source app, you’re keeping yourself a bit opened for attacks somehow – you have to accept that fact. But some good open source projects like Joomla, Wordpress, phpBB and many other with big communities are more responsive to such attacks, in just few hours when such vulnerability is out in public, they release security updates and have good platform to notify people using them. Sometimes these project owners are informed even before the attack is made public itself. Still, you can’t trust a community if you are handling sensitive data or sensitive operations with your application. I wouldn’t recommend any open source web app to any government institution, never ever for the same reason.
So, Open source with a backup of big community is good enough?
No matter how good a project’s community might be or how bad, in any case, you have to keep your eyes open to such new vulnerabilities. If you’ve just launched an app, and kept it ignored on a server for months, you’re likely to get hacked before any other active website. Remember, a good administration is must when using open source web apps. I highly recommend that either you keep an eye on such alerts or let your developers do the job. Like they say, Prevention is better than cure. Being proactive in preventing an attack is much easier rather than getting back online after your app is compromised because of some vulnerability.
What do we recommend?
- Keep an eye on security updates from project’s website
- Always use the latest stable version of software, and update it timely
- Keep an eye on advisories boards or such website (Best thing, is to create a Google web alert to let you alert when something like this is out)
- Timely Automated backups
If you’re not already doing it, I highly recommend you getting on it from today if you really care about your website. Hope this helps. Thanks for reading.
- Abhimanyu Grover