Document Sample
paper Powered By Docstoc
					                       Security in Web Content Management Systems
                                                     Sherif H. El-Meligy

    Abstract — Content management systems (CMS) provide          classifications the first is open source licensing and the
an optimal solution by organizing information and, mostly,       second is owned or leased licensing.
creating and managing an enterprise’s knowledge. Usually           This paper focuses on security issues in WCMS and
content management systems are based on core technologies
                                                                 the objective is to understand the security issues as well
such as database management systems and file systems.
                                                                 as a generic security framework.
Content management is now being regarded as a base
technology for other more complex applications. This paper
discusses the security in CMS as one of the main goals that
should be achieved since it deals with huge amount of data and
different types of users.

  Index Terms — Web content management, Security and

protection, Access control

                                                                           Fig.1.Web Content Management System
                    I. INTRODUCTION

   A Content Management System (CMS) is a                                  II. SECURITY FRAM EWORK IN WCMS
computer program used to create, edit, manage, and               A. Security Attributes
publish content in a consistently organized fashion. CMSs          The main attributes of information security [1] are
are frequently used for storing, controlling, versioning,        confidentiality, integrity, authentication, availability and
and publishing documentation such as news articles,              non-repudiation. Confidentiality means that only legal
operators' manuals, technical manuals, sales guides, and         users have the rights to access data, integrity ensures
marketing brochures. Today, they are most often used to          that data are protected from misuse and modification by
control the contents of a website. Such a CMS is called a        illegal users, authentication is important to correctly
Web Content Management System (WCMS). The                        identify users, availability of systems resources on
WCMS market is currently divided among two main                  demand is very important and finally non-repudiation is to
prevent the denial of communication between both
sender and the receiver.
 If a Web system is built without taking security in          Functional                    Security Measure

consideration from the beginning through the design and       Dimension

implementation it will cause fixing and solving security    Configurations   WCMS must be properly configured on a
                                                                             server in order to ensure top level
problems will become more difficult and complex.
                                                            Cookies          Using non-persistent cookies and if
B. Proposed Security Framework
                                                                             persistent     cookies    are    used,    short
                                                                             duration of cookie life need to be
The Eight functional dimensions include Data, directory,                     specified, it is preferred to transmit
forms, configurations, sessions, cookies, embedded                           cookies in a secure communication

queries and XML communication. The five goals of            Forms            A good software design is to ensure that

security that include integrity, privacy, authentication,                    data filtering cannot be bypassed and
                                                                             that invalid data cannot be mistaken for
availability, and non repudiation when mapped to the
                                                                             valid data, and to identify the origin of
above mentioned functional dimensions of WCMS gives
rise to the framework as shown in Figure 2.
                                                            Embedded         Carefully examining database queries for
                                                            Queries          wild characters validate and ensure that
                                                                             input fields contain only the relevant
                                                                             user-related    information,     and     ensure
                                                                             proper permissions exist on the database
                                                                             objects accessed by the Web application.
                                                            Sessions         Ensuring     consistent    and    appropriate
                                                                             session timeouts for the application.

                                                            Directory        Disabling directory browsing

                                                            Data             Place all modules outside of document
                                                                             root and not make modules accessible.
               Fig.2. Security Framework
                                                            XML              Security gateway appliances process
                                                            communication    encryption of XML files, enforce security
                                                                             policies authorizing access, and generate
Table 1 summarizes the eight functional dimensions of                        a log of network activities for auditing
the framework and the security measures for each.                            purposes, tracking potential hackers.
    Table 1 Security measures for functional dimensions

                                                                                         Table 2 Comparison between two WC
C. Evaluation of the Framework                                              III. SECURITY ATTACKS
This framework was evaluated in two WCMS software
                                                             Web content management systems are subject to
applications Mambo and vBulletin. Mambo is by far one
                                                             different types of Security attacks [2] include data
of the leading WCMS software available today due to its
                                                             manipulation in which the attacker has the ability to
user-friendly and advanced features. VBulletin is a
                                                             change the original data, Accessing confidential data
community forum solution which is extremely affordable,
                                                             using SQL code injection, Phishing by collecting
reliable, professional, and is effectively instrumental in
                                                             information about users via email and encourage them to
giving an instant community. In general, both applications
                                                             enter certain websites where they can accidently enter
have most of the security features in place, however
                                                             their secret information, another method is to load
there exist some drawbacks.
                                                             defective code into the system and finally using spam
    Some of     the security features need to be
                                                             emails, figure 3 shows possible WCMS attacks.
     implemented using third-party software.
    Centralized upload location
    No automatic uploads for package patches and
     security uploads.
                                                              Although Joomla and Drupal passed most of the steps
                                                             but the security level of both WCMS is bounded by their
                                                             users since they can open the doors for malicious code.
                                                             Both systems      are     supported by security aware
                                                             communities, and expected their security levels to
                                                             increase in the future.

                                                                            IV. USERS ACCESS CONTROL

                                                              Since content management system provides information
          Fig.3. Different types of Security Attacks
                                                             to various employees within the organization. Certain
                                                             information may be sensitive to particular users of the
A. Security Analysis
                                                             content management system. It is thus of vital
                                                             importance that certain security mechanisms            are
    Two famous WCMS Joomla and Drupal are evaluated
                                                             implemented to prevent users of the content management
and compared from the security perspective. Joomla is a
                                                             system from viewing information not meant for them.
derivative of Mambo, a popular PHP-based WCMS, and
                                                             Access controls are security mechanisms implemented to
has been used to build roughly 5 million Web sites
                                                             prevent users from accessing unauthorized information.
worldwide. Drupal is used for numerous private and
                                                             By implementing access controls within a content
university Web sites, as well as for collaboration portals
                                                             management system, the risk of a user viewing sensitive
and e-commerce sites.
                                                             information is drastically minimized.
In order to perform the evaluation and the analysis
several steps are performed.                                  Research work is divided into studies which look, at the
     Installing both systems and evaluated how different    use of access control and sharing technologies and those
      configuration settings will affect security.           which propose improved access control interfaces and
     Perform simple penetration testing.                    evaluate them in a laboratory setting.
     Inspecting source code files.                           A number of recent studies have examined the use of
     Use the knowledge gained in step 3 to send             access controls in file and media sharing applications, the
      additional and more focused malicious requests.        use of privacy settings in a mobile photo sharing
     Evaluate community support for security issues.        application. Other researchers study the access control
                                                             policies users developed around physical keys and a
B. Analysis Results                                          more flexible replacement using mobile phones to control
                                                             access to doors. Users found the automated alternative
preferable to physical keys, and used it to manage more         and in order for the CMSs to accomplish its mission, security

complex access policies. There is much work in on               as one of them main goals should be achieved.

increasing the usability of interfaces to traditional access
                                                                 First a security framework is proposed which can be used to
control systems.                                                understand different security issues related to WCMS, As an
In [3] an automated data mining techniques are used to          example, this study compares two leading WCMS Mambo and
examine the use of access control features present in           VBulletin, firms can use this methodology to understand other

standard CMS as used for along time 10 years or more.           software that are available in the market currently and in future.

It was found that while users rarely need to change
                                                                Secondly the paper discuss the possible WCMS attacks, and a
access policies, the policies they do express are actually      comparison is established between two widely used CMSs
quite complex., also users participate in larger numbers        Joomla and Drupal and the results were so promising but there
of access control and email sharing groups than                 is an opportunity for inexperienced and experienced users to

measured by self-report in previous studies.                    open the doors for malicious code. Both systems are

 The study result in a number of suggestions for the            supported by security aware communities .

design of both access control systems themselves, and
                                                                 Finally the paper dealt with the access control of Different
the interfaces used to manage them                              CMSs, access controls ensures that not only information is
-Simplify Access Control Models                                 kept confidential; it also helps by assuring that the integrity of

       Only allow positive grants of access.                   the information is maintained. During the study several users'

       Simplify the inheritance model for access control       behavior was discovered concerning access controls, it was

        changes                                                 found that users almost never set access control policies on

       Limit the types of permissions that can be granted.     content, preferring instead to rely on context. They share that
                                                                content, though, in complex ways. Users participate in much
       Group Definitions
                                                                larger numbers of access controls in email sharing groups, and
- Improve Tools for Managing Access
                                                                users make many errors when defining access control policies
       Tools for group management
                                                                using traditional interfaces , as a result of these observations
       Tools for ACL management                                the study proposed a number of suggestions for the design of
       Tools for administrators                                both access control systems themselves, and the interfaces
       Activity-based folksonomies of groups and users         used to manage them.
       Visualizations
                                                                [1] Vaidyanathan and Mautone, Security in Dynamic
                                                                Web Content Management Systems                     Applications,
                         V. CONCLUSION
                                                                communications of the acm, 2009.
 Organizations can definitely benefit from collecting and       [2] Meike, Sametinger and Wiesauer, Security in Open
managing their information in a proper manner. Content
                                                                Source Web Content Management Systems, 2009.
management systems are specifically designed for this purpose
[3] Smetters and Good, How Users Use Access
Control, 2009.