Yesterday, there was a presentation of vulnerability OneThird CMS from JVN
This, pointed out the vulnerabilities from the outside, has a 4 stars cumulative
All have been measures in the latest version
Contents, directory traversal is 1, XSS is 3
This is, I think overwhelmingly small compared to the CMS such as WordPress
In, not necessarily be the case and say designed to OneThird or CMS is wonderful
Simply, it is believed that because the amount of code is less difficult to enter vulnerability
It's WordPress amount of code and OneThird CMS there is a difference of more than 10 times
OneThird CMS also will be 1/10 or less vulnerable because WordPress of 1/10 or less
This defect rate of software (bug) is because is considered to be proportional to the amount of code
However, in the present situation, total of WordPress vulnerabilities of the total and OneThird CMS I think there is a difference of more than 100 times
It may be because WordPress is receiving all kinds of people of check in CMS that is used most in the world
Also there is a possibility that the discovery of a potential bug more users come out future so think if OneThird CMS
Now, let's explain what are thinking if in OneThird CMS design side with respect to may not vulnerability may increase future
It will be believe that there is no way is entering a certain extent against vulnerability code
So, not included as much as possible need more functions, because not increase the amount of code is the fundamental policy
However, the amount of code there is a problem that the severity of software defects separately
Also short in the probability of occurrence of the bug is fixed, is that it becomes important that the bad far from per
For it, the design side, but take the appropriate firm conducted a risk analysis on the side to use because it is difficult to corresponding measures I general, there is a little twist to the structure of the software as insurance measures
And say what kind of ideas or
In OneThird CMS, it is the adoption of a design technique that suppressed as much as possible the invasion route from the outside
Since the probability of being exposed to attacks from much outside the URL for the attack is often more, all access to the CMS has been designed so as to pass through the index.php
Although only the URL for the basic management (seven) is another, usually of management, also go through all index.php URL that such plug-ins use
Serious bug believes that such measures it is effective because the easy to Gray to those plug-ins, especially user-created
It also has to choose flexible about operating method
I often cause a half-hearted malfunction With the WAF in normal CMS, but by dividing the URL to work URL and WAF to normal operation in OneThird CMS, you can easily adapt
Even without the use of WAF, one is also easy operation of the condition, such as dynamic access of static access, for managing the one with similarly divided the entrance on the same server
In particular, in this method, after performing multiple check in the URL for the management, collectively we are suitable for the operation of pages that are not allowed mistakes, such as local governments because you take a method such as a stretch public
In OneThird CMS, is there no discussion functions such as WordPress is because you are considering such operation
We believe will lead to the reduction of vulnerability to say that this feature if there is a method of alternative as a stripped-washable
Thank you for your consideration all means because you can operate a very robust site and to operate properly As described above
It should be noted, also heard consultation of OneThird CMS in SpiQe software is a management company
Please feel free to contact us