OneThird CMS

Lightweight CMS for Small website, Web application framework.

Download Document


OneThird CMS is actually a strong CMS to vulnerability?

OneThird CMS is less vulnerable?

Yesterday, there was a presentation of vulnerability OneThird CMS from JVN

This, pointed out the vulnerabilities from the outside, has a 4 stars cumulative

All have been measures in the latest version

Contents, directory traversal is 1, XSS is 3

This is, I think overwhelmingly small compared to the CMS such as WordPress

In, not necessarily be the case and say designed to OneThird or CMS is wonderful

Simply, it is believed that because the amount of code is less difficult to enter vulnerability

It's WordPress amount of code and OneThird CMS there is a difference of more than 10 times

OneThird CMS also will be 1/10 or less vulnerable because WordPress of 1/10 or less

This defect rate of software (bug) is because is considered to be proportional to the amount of code

However, in the present situation, total of WordPress vulnerabilities of the total and OneThird CMS I think there is a difference of more than 100 times

It may be because WordPress is receiving all kinds of people of check in CMS that is used most in the world

Also there is a possibility that the discovery of a potential bug more users come out future so think if OneThird CMS

OneThird idea to CMS of vulnerability

Now, let's explain what are thinking if in OneThird CMS design side with respect to may not vulnerability may increase future

It will be believe that there is no way is entering a certain extent against vulnerability code

So, not included as much as possible need more functions, because not increase the amount of code is the fundamental policy

However, the amount of code there is a problem that the severity of software defects separately

Also short in the probability of occurrence of the bug is fixed, is that it becomes important that the bad far from per

For it, the design side, but take the appropriate firm conducted a risk analysis on the side to use because it is difficult to corresponding measures I general, there is a little twist to the structure of the software as insurance measures

And say what kind of ideas or

In OneThird CMS, it is the adoption of a design technique that suppressed as much as possible the invasion route from the outside

Since the probability of being exposed to attacks from much outside the URL for the attack is often more, all access to the CMS has been designed so as to pass through the index.php

Although only the URL for the basic management (seven) is another, usually of management, also go through all index.php URL that such plug-ins use

Serious bug believes that such measures it is effective because the easy to Gray to those plug-ins, especially user-created

It also has to choose flexible about operating method

I often cause a half-hearted malfunction With the WAF in normal CMS, but by dividing the URL to work URL and WAF to normal operation in OneThird CMS, you can easily adapt

Even without the use of WAF, one is also easy operation of the condition, such as dynamic access of static access, for managing the one with similarly divided the entrance on the same server

In particular, in this method, after performing multiple check in the URL for the management, collectively we are suitable for the operation of pages that are not allowed mistakes, such as local governments because you take a method such as a stretch public

In OneThird CMS, is there no discussion functions such as WordPress is because you are considering such operation

We believe will lead to the reduction of vulnerability to say that this feature if there is a method of alternative as a stripped-washable

Thank you for your consideration all means because you can operate a very robust site and to operate properly As described above

It should be noted, also heard consultation of OneThird CMS in SpiQe software is a management company

Please feel free to contact us

Google Website Translator - Google Translate