Security in Web Content Management Systems Sherif H. El-Meligy Abstract — Content management systems (CMS) provide classifications the first is open source licensing and the an optimal solution by organizing information and, mostly, second is owned or leased licensing. creating and managing an enterprise’s knowledge. Usually This paper focuses on security issues in WCMS and content management systems are based on core technologies the objective is to understand the security issues as well such as database management systems and file systems. as a generic security framework. Content management is now being regarded as a base technology for other more complex applications. This paper discusses the security in CMS as one of the main goals that should be achieved since it deals with huge amount of data and different types of users. Index Terms — Web content management, Security and protection, Access control Fig.1.Web Content Management System I. INTRODUCTION A Content Management System (CMS) is a II. SECURITY FRAM EWORK IN WCMS computer program used to create, edit, manage, and A. Security Attributes publish content in a consistently organized fashion. CMSs The main attributes of information security  are are frequently used for storing, controlling, versioning, confidentiality, integrity, authentication, availability and and publishing documentation such as news articles, non-repudiation. Confidentiality means that only legal operators' manuals, technical manuals, sales guides, and users have the rights to access data, integrity ensures marketing brochures. Today, they are most often used to that data are protected from misuse and modification by control the contents of a website. Such a CMS is called a illegal users, authentication is important to correctly Web Content Management System (WCMS). The identify users, availability of systems resources on WCMS market is currently divided among two main demand is very important and finally non-repudiation is to prevent the denial of communication between both sender and the receiver. If a Web system is built without taking security in Functional Security Measure consideration from the beginning through the design and Dimension implementation it will cause fixing and solving security Configurations WCMS must be properly configured on a server in order to ensure top level problems will become more difficult and complex. security. Cookies Using non-persistent cookies and if B. Proposed Security Framework persistent cookies are used, short duration of cookie life need to be The Eight functional dimensions include Data, directory, specified, it is preferred to transmit forms, configurations, sessions, cookies, embedded cookies in a secure communication queries and XML communication. The five goals of Forms A good software design is to ensure that security that include integrity, privacy, authentication, data filtering cannot be bypassed and that invalid data cannot be mistaken for availability, and non repudiation when mapped to the valid data, and to identify the origin of above mentioned functional dimensions of WCMS gives data rise to the framework as shown in Figure 2. Embedded Carefully examining database queries for Queries wild characters validate and ensure that input fields contain only the relevant user-related information, and ensure proper permissions exist on the database objects accessed by the Web application. Sessions Ensuring consistent and appropriate session timeouts for the application. Directory Disabling directory browsing Data Place all modules outside of document root and not make modules accessible. Fig.2. Security Framework XML Security gateway appliances process communication encryption of XML files, enforce security policies authorizing access, and generate Table 1 summarizes the eight functional dimensions of a log of network activities for auditing the framework and the security measures for each. purposes, tracking potential hackers. Table 1 Security measures for functional dimensions Table 2 Comparison between two WC C. Evaluation of the Framework III. SECURITY ATTACKS This framework was evaluated in two WCMS software Web content management systems are subject to applications Mambo and vBulletin. Mambo is by far one different types of Security attacks  include data of the leading WCMS software available today due to its manipulation in which the attacker has the ability to user-friendly and advanced features. VBulletin is a change the original data, Accessing confidential data community forum solution which is extremely affordable, using SQL code injection, Phishing by collecting reliable, professional, and is effectively instrumental in information about users via email and encourage them to giving an instant community. In general, both applications enter certain websites where they can accidently enter have most of the security features in place, however their secret information, another method is to load there exist some drawbacks. defective code into the system and finally using spam Some of the security features need to be emails, figure 3 shows possible WCMS attacks. implemented using third-party software. Centralized upload location No automatic uploads for package patches and security uploads. Although Joomla and Drupal passed most of the steps but the security level of both WCMS is bounded by their users since they can open the doors for malicious code. Both systems are supported by security aware communities, and expected their security levels to increase in the future. IV. USERS ACCESS CONTROL Since content management system provides information Fig.3. Different types of Security Attacks to various employees within the organization. Certain information may be sensitive to particular users of the A. Security Analysis content management system. It is thus of vital importance that certain security mechanisms are Two famous WCMS Joomla and Drupal are evaluated implemented to prevent users of the content management and compared from the security perspective. Joomla is a system from viewing information not meant for them. derivative of Mambo, a popular PHP-based WCMS, and Access controls are security mechanisms implemented to has been used to build roughly 5 million Web sites prevent users from accessing unauthorized information. worldwide. Drupal is used for numerous private and By implementing access controls within a content university Web sites, as well as for collaboration portals management system, the risk of a user viewing sensitive and e-commerce sites. information is drastically minimized. In order to perform the evaluation and the analysis several steps are performed. Research work is divided into studies which look, at the Installing both systems and evaluated how different use of access control and sharing technologies and those configuration settings will affect security. which propose improved access control interfaces and Perform simple penetration testing. evaluate them in a laboratory setting. Inspecting source code files. A number of recent studies have examined the use of Use the knowledge gained in step 3 to send access controls in file and media sharing applications, the additional and more focused malicious requests. use of privacy settings in a mobile photo sharing Evaluate community support for security issues. application. Other researchers study the access control policies users developed around physical keys and a B. Analysis Results more flexible replacement using mobile phones to control access to doors. Users found the automated alternative preferable to physical keys, and used it to manage more and in order for the CMSs to accomplish its mission, security complex access policies. There is much work in on as one of them main goals should be achieved. increasing the usability of interfaces to traditional access First a security framework is proposed which can be used to control systems. understand different security issues related to WCMS, As an In  an automated data mining techniques are used to example, this study compares two leading WCMS Mambo and examine the use of access control features present in VBulletin, firms can use this methodology to understand other standard CMS as used for along time 10 years or more. software that are available in the market currently and in future. It was found that while users rarely need to change Secondly the paper discuss the possible WCMS attacks, and a access policies, the policies they do express are actually comparison is established between two widely used CMSs quite complex., also users participate in larger numbers Joomla and Drupal and the results were so promising but there of access control and email sharing groups than is an opportunity for inexperienced and experienced users to measured by self-report in previous studies. open the doors for malicious code. Both systems are The study result in a number of suggestions for the supported by security aware communities . design of both access control systems themselves, and Finally the paper dealt with the access control of Different the interfaces used to manage them CMSs, access controls ensures that not only information is -Simplify Access Control Models kept confidential; it also helps by assuring that the integrity of Only allow positive grants of access. the information is maintained. During the study several users' Simplify the inheritance model for access control behavior was discovered concerning access controls, it was changes found that users almost never set access control policies on Limit the types of permissions that can be granted. content, preferring instead to rely on context. They share that content, though, in complex ways. Users participate in much Group Definitions larger numbers of access controls in email sharing groups, and - Improve Tools for Managing Access users make many errors when defining access control policies Tools for group management using traditional interfaces , as a result of these observations Tools for ACL management the study proposed a number of suggestions for the design of Tools for administrators both access control systems themselves, and the interfaces Activity-based folksonomies of groups and users used to manage them. Visualizations REFERENCES  Vaidyanathan and Mautone, Security in Dynamic Web Content Management Systems Applications, V. CONCLUSION communications of the acm, 2009. Organizations can definitely benefit from collecting and  Meike, Sametinger and Wiesauer, Security in Open managing their information in a proper manner. Content Source Web Content Management Systems, 2009. management systems are specifically designed for this purpose  Smetters and Good, How Users Use Access Control, 2009.