Ungerboeck Digital - Blog

Blog

 

Widgety, Widgety, Widgety, (w)Hack

Kevin Zink
Mar 01, 2016
open-source-security

One of the largest draws to an open source CMS is the community. This includes both the user community as well as the developer community. The developer community is split into a handful of groups including those that help extend the product with useful, extendable, widgets, those with good intentions but questionable skills, and those that that flood the market with poorly designed, purposefully intrusive widgets. We will be focusing on the latter.

"Why," you might ask yourself, "would the focus be on a group of widgets that we will, most certainly, not use?"  The answer is simple... what you don't know can hurt you.

The Bad Guys

Unfortunately, there are developers in the wild who attempt to take advantage of mass installations. This often takes the form of a waiting game. Devious, yet patient, developers will, on occasion, create an excellent widget: easy to use, extensible and well supported, only to wait until it has been installed far and wide. At a saturation point, the developer in question will create a patch for the widget. The patch, however, may be far from benign and infect installed sites in a number of ways. Adware, code injections, data gathering, etc.

"Why oh why would they do this to me?" you question.  Not to be cliche, but it isn't you, it's them. Money, power and infamy for starters. It may also be a case where the developer's credentials were compromised and malicious hackers are using the popularity of their newfound account to enact chaos. We may never know. The end result, however, is that a once useful piece of your site has now become detrimental to you and your user base.

Is All Hope Lost?

Good question. Your first line of defense is to make sure that you are are on the cutting edge, but not the bleeding edge, of any release. With such a large community of support, sometimes it is best to let someone else charge in (I'm speaking to you Leeroy Jenkins) until any initial massacre has already taken place. Once the update receives a clean bill of health from the community at large and you have tested on your sandbox location, make sure to backup your existing site files (just in case) and then proceed with the update in your production environment.
 
As a general rule, it's probably best to avoid unnecessary updates unless they:

  • add functionality for your administrators
  • add functionality for your editors
  • enhance the user experience
  • or, most importantly, increase your site security

If you take these simple precautions, you can go a long way in protecting yourself and your site from the bad guys without missing any of the benefits of the innovative open source community.

Let's Talk

Looking to know more? Drop us a note through the form below.

636.300.5606  |  100 Ungerboeck Park, O'Fallon, Missouri, 63368
Godzilla