WordPress and Drupal Are Vulnerable; Vulnerability Could Take Down Website



If your Website runs on self-hosted WordPress of Drupal, update it now. Security research Nir Goldshlager from Salesforce.com has discovered an XML vulnerability which can lead attacker take down your website via well-known XML Quadratic Blowup Attack.

WordPress Drupal vulnerableThis vulnerability use XML Quadratic Blowup Attack which can take down the whole website or server in few seconds with the use of only single system. It can cause the complete CPU and memory exhaustion. It can also cause database connections to reach the maximum number of open connections. Thus it makes the website down for a period of time and your website will become inaccessible.

How this attack works

This vulnerability uses XML Quadratic Blowup Attack in which a very small XML document can totally disrupt your web server from a single machine. In this, a XML document of few hundred KB size can end up requiring hundreds of megabytes if space in memory.

In PHP, default memory allocation limit for a process to 128 MB. It means you cannot exceed 128 MB via single process. Apache has its “Max CLients” property set to 256. And MySQL has its “Max Connections” value set to 151. If we multiply these three, we get 19328MB which can consume all available memory.

“If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size that expands to 2.5 GB when parsed. This expansion is enough to take down the parsing process,” Nir Goldshlager wrote in his blog.

See the video below

WordPress Denial Of Service PoC Video from Nir on Vimeo.

Millions of websites use WordPress and Drupal. If we only talk about WordPress, it alone powers nearly 23% of the web. So, we can say that this vulnerability has huge impact on web.

This XML vulnerability affects WordPress 3.5 to 3.9 and Drupal 6.x to 7.x. If you are using the affected version, you should know that patch is already available for both Drupal and WordPress. Because it was a critical vulnerability, Goldshlager reported the vulnerability to WordPress and Drupal teams before sharing the vulnerability with the public. So, both companies have already came up with patches to fix the issue.

If you’re running WordPress or Drupal, update now.