Components, libraries, and add-ons

The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

Many web developers don't bother to the invent a bicycle. If you are asked to add a popular and widely-used functionality, the easiest way is to find a package with the ready component and customize it to fit your needs. This situation is often characteristic of the complex multifunctional micro applications — blogs, forums and content management systems (CMS).

The reasons to use custom systems offered by third-party developers are obvious: saving time and money.

However, like any other software, these add-ons may have drawbacks. That's why you should monitor what packages are used and update them regularly. The popularity of some packages may give you a false sense of confidence in their reliability. Many common packages contain vulnerabilities that are exploitable even if they are installed and configured correctly.

In the past, serious vulnerabilities were identified in such popular server applications as:

  • Wordpress (blog).

  • phpBB (Forum).

  • CMS Made Simple (CMS).

  • PHPNuke (CMS).

  • bBlog (blog).

Many of these (and similar) add-ons are widely distributed, which makes them an attractive target for hackers looking to maximize the number of potential victims. Since most operating systems and HTTP servers support automatic updates, many developers “configure and forget” certain functions, without updating various add-ons. This is a very dangerous mistake.

Again, here we recommend that you use the following rule: down with something that isn't used! If your hosting provider supports such features by default, disable them. If you can't disable them, you should consider whether you need such services.