Your WordPress and Drupal installs are probably obsolete

Research reckons Mossack Fonseca hack may have been thanks to CMS vulns

13 Reg comments Got Tips?

Many of the UK's biggest firms are running outdated versions of their Drupal and Wordpress Content Management Systems (CMSes).

Threat management company RiskIQ conducted research across the top 30 organisations in the UK (FTSE-30), looking specifically at Wordpress and Drupal instances visible on the open web.

At least three in 10 of the content management system installs were vulnerable on one way or another, according to RiskIQ:

Across the publicly accessible web sites of the FTSE-30 we found 1069 web sites hosting either Wordpress or Drupal and were able to identify the CMS versions in 773 of them. The other 296 have disabled public access to their CHANGELOG.txt so their version was unknown.

Of the 773 sites with known versions, 307 have known vulnerabilities referenced in one or more CVEs. That represents 40 per cent of the total number of sites where the version is known and 29% of the overall total. The real percentage of vulnerable CMS instances lies somewhere in between.

CMSes play an important role in everything from providing potential customers with product information to ongoing communications and support. Despite the widespread use of the technology CMSes are frequently not given the attention they deserve, hence the widespread occurrence of problems even in the UK’s largest and presumably best-resourced enterprises.

“In many cases they are not tier 1 applications set up and supported by central IT and this can all too often result in a set up and forget approach,” according to RiskIQ.

RiskIQ was prompted to carry out the study by the Panama Papers controversy. Evidence of tax avoidance and personal info about the rich and powerful was exposed by a leak of Panamanian lawyers Mossack Fonseca. Many in the infused community, at least, suspect a hack against Mossack Fonseca’s CMS played a key role in the breach.

“Numerous security researchers commented on the poor security state of Mossack Fonseca’s IT systems which could have offered the attacker numerous ways into the organisation’s network, including outdated versions of their Drupal and Wordpress CMSes,” RiskIQ explains.

“CMS vulnerabilities are a common theme in many of the successful attacks we read about. With the ubiquitous nature of Content Management Systems driving the web experience, there are potential risks for all organisations.” ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

We want weaponised urban drones flying through your house, says UK defence ministry as it waves a fistful of banknotes

£150k up for grabs if you can help create the dystopian future of warfare

Browse mode: We're not goofing off on the Sidebar of Shame and online shopping sites, says UK's Ministry of Defence

Its servers merely record more HTTPS requests to Mail Online and Amazon than anywhere else

We'll pay £400k for a depth charge-proof robot submarine, says UK's Ministry of Defence

British military continues push for new autonomous tech

UK's Ministry of Defence loads up £4.6m for one plucky IaaS and PaaS provider to host Oracle Primavera apps

Attention! Stand up straight you 'orrible lot!

Drupal drops first big upgrade in five years and looks forward by looking backwards

CMS behind gov.uk and plenty more government sites worldwide promises easy upgrade from current code to new version 9.0

Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak

Updated Can't get assessors on-site to check SMEs' antivirus updates

UK's Ministry of Defence: We'll harvest and anonymise private COVID-19 apps' tracing data by handing it to 'behavioural science' arm

Analysis Plus: Serco plays email fail game by mass-mailing human contact tracers; NCSC gives feedback on feedback about beta app

Ministry of Defence's new payroll contract is, surprise, surprise, MIA: Missing In Action

Procurement heads fail to finalise specs for replacement deal, extend current agreement with DXC Technology

Biting the hand that feeds IT © 1998–2020