Keep your CMS safe with Secure CQ

26 February 2013
Tomasz Rekawek

Content Management Systems and web-applications in general are probably the most difficult kind of software to secure. Modern CMS' are so complex and feature abundant that it is often possible to find some security holes or unsecured modules and get access to confidential information or even modify the content without authorisation. Adobe CQ is very complex and provides authors with a wide range of possibilities. Unfortunately, it means also a lot of possibilities for potential malicious users. This post presents Secure CQ, a tool which can be used to find the most popular security problems in your CQ instance.

Knowledge is the power

There is a lot of security checklists and hints for CQ. The most important is the official Security Checklist on Adobe's site. Private blogs, like CRXDelight, may also be useful. My colleague Jan has published an interesting post about common vulnerabilities. There are two problems with these lists:

  • they are scattered over the Internet,
  • it's very time-consuming to test each one manually.
Secure CQ is a solution for both these problems.

Turn theory into practice

Secure CQ is basically an implementation of various security hints which can be found on the Internet. For instance, there is a CRXDelight blog post containing a list of default CQ accounts with their passwords. In order to prevent unauthorized users from logging in, passwords for all these accounts should be changed. Secure CQ connects to the configured author and publish instances and tests if it's possible to log in using one of the default credentials. Results are displayed in following form:

Sample test performed by Secure CQ

Secure CQ tests both instances and also the dispatcher, as some resources should be restricted in the cache configuration. It checks:

Each test contains a description and the More info link which references the external site to additional information about a given security flaw.

How to use it?

In order to use the application, you have to install the Secure CQ package on your author instance. You may download the pre-built package or build it yourself using sources from GitHub. It'll be also available in the CQ Package Share module soon. After installing it, go to the CQ Tools page and choose Secure CQ from the list on the left. The application tries to find author, publish and dispatcher URLs automatically, but you may want to confirm that they have been recognized correctly. In order to do that click Edit on the Settings bar and optionally correct addresses. That's it. Wait for a moment until the tests are done and check the results.

Awarded by Adobe

I hope that the presented application will be useful in securing your CQ installation. Of course it can't replace good knowledge of the CMS you use, but I think it's a good starting point. It's also worth mentioning that the package was awarded in the Adobe CQ Package Share Contest "Small Application, Great Ideas".