about
blog
tutorials
Marketing-FUD vs. real world: Security vulnerabilities discovered in bilobaCMS
Posted on August 26, 2010 by .
Update (Sept. 3, 2010): Originally, there was an other URL referenced for the below mentioned press article. This was no longer available and the link replaced by an article hosted at another domain.
On August 18, 2010 Biloba IT, vendor of a CMS called bilobaCMS, published a press article (DE) to promote its Content Management System.
Oddly enough, they mention that Microsoft recently has stopped support for IE6 and TYPO3 Association support for 4.1 branch. Don't ask me why they mention a browser at all! Version 6 of Internet Explorer appeared in August 2001 which means Microsoft had provided support for remarkable 9 years. In the meantime Internet Explorer 7 and 8 are available. TYPO3 4.1.0 appeared in March 2007 and therefore TYPO3 Association had provided more that 3 years of support. Successors are TYPO3 4.2, TYPO3 4.3 and TYPO3 4.4. Declaring end of life for a product is just a normal part of its lifecycle.
Surprisingly, the vendor of bilobaCMS claims that software quality and security of (proprietary) CMSs is higher than Open Source systems because development is done by a company.
As you know, I'm interested in software security and therefore was curious how much "higher" security of bilobaCMS is.
Dear readers, calm down! bilobaCMS not surprisingly suffers from the same typical vulnerabities like other CMS (also Open Source), too.
On August 19, 2010 I checked out their demo system (bilobaCMS 5.0) and quickly discovered a reflective Cross-Site Scripting vulnerability in the search form and a persistent Cross-Site Scripting vulnerability in the gallery feature. These vulnerability were disclosed to the vendor on the same day. Some hours later, the vendor replied and stated that the reported vulnerabilities have been fixed, customers informed and patches rolled out. Sadly, vulnerabilities and their fixes are not communicated through the vendor's website so that website visitors are not aware of such issues.
I'd like to highlight that the vendor obviously provided patches in a very short period of time. This is something to be proud of and worth to mention in press articles instead of blaming Open Source for no reason.
What we have learned: Choosing a proprietary software over a Open Source one does not necessarily provide higher security standards!
- 2 Comment(s)
Manager
LOL and lovely to read how you gave them a little slap with a fresh fish!
Another press article ...
In May 2010, the vendor suggested to drop WordPress in favour of their proprietary CMS. See their press article! (PDF) Looks like we'll see an article on Drupal soon. ;-)