I've been in the Security Industry for about ten years now. I say that not to brag, but to give context for the rest of this post. I've assessed countless pieces of software of nearly every type, web apps, web services, desktop, firmware, mobile, Operating Systems, and more. So believe me when I say this is a bit of a tough post to write.
Up until about a month ago Joe_CMS had a major security vulnerability in it.
But let me start at the beginning and tell the story in chronological order. I've been working on a new CMS, one that would opt for simplicity and just the right set of features so it's easy to use and very easy to administer. Before I open source it, I wanted to deploy it to a few of the sites that I run (Technically Learning, My Wife's Site, and this one). I've been happily finding little bugs here and there and have generally been happy with how it's shaping up. I even think a few weeks ago I told a friend that it was “getting close.”
A litte more than a month ago I browsed to my site to publish a new blog post and noticed the Title of my blog had changed. I thought that was very odd because it hadn't changed to something recognizable, bur rather something like the random values that an automated tool may inject to look for injection vulnerabilities. I immediately suspected my coworkers and asked around. Nobody knew a thing.
I checked over all the settings, that are configurable online, the database strings were correct, the passwords were good, everything seemed to be in order. I did think that since the site doesn't go over SSL (something I intend to fix soon) that perhaps my session or credentials were stolen and somebody changed the settings manually. I changed all my passwords, added a longer random registration code and decided to wait it out.
About a few weeks ago, it happened again! I again checked all the settings, which had all been overwritten again, and immediately started to think about how this could have happened. Did my hosting provider get popped, my database, surely it's not my application!
Finally something dawned on me. I logged out and directly browsed to http://whoisjoe.com/Settings.aspx. The page was wide open. I had forgotten to require authentication on the Admin Settings page!! I extended the asp.net BasePage as AdminPage to require Authentication on any page as long as I remember to change the inheritance. If you try to author a post, edit a page or modify any template you have to log in. Somehow the settings page slipped my mind and it was dangling out naked on the internet for who knows how long. Luckily it looks like it was just bots and spiders that found the issue, but had a real hacker discovered it things could have been much, much worse.
This is exactly the kind of issue I look for and find in all kinds of web applications. Forceful browsing is all over the place. A developer assumes that because a page isn't linked to it isn't accessible or won't be discovered, but in reality any page that isn't explicitly protected is vulnerable. In addition to this assumption one must also assume every vulnerability will found. Every XSS, every SQLi, every CSRF issue will be found if given enough time. This means that these cannot exist in your application. I missed authentication on one page and if the wrong person would have found it they could have easily compromised my entire website making it a hotbed for malware drive by downloads.
Now that we've found the last bug in Joe_CMS I feel confident it's ready to ship… right?
Posted By: Joe Basirico