New WordPress, Drupal Vulnerability Discovered by Security Researcher

2 +1
in News

by caorda

New WordPress, Drupal Vulnerability Discovered by Security Researcher

On August 5th 2014 Nir Goldshlager (CEO of Break Security) announced a full disclosure of a WordPress and Drupal Denial-of-Service attack that crashes sites and overloads the server.

This phenomenon is predicated on a well-known cyber attack, known as the XML Quadratic Blowup Attack… starkly different from the customary XML bomb exploitation 1

This XML “bomb” operates by repeatedly extracting its own code until its size becomes too large for the server to handle. MySQL and Apache memory limits are exceeded, causing the server CPU to run at 100% and preventing human users from accessing the site.

What is a denial-of-service (DoS) attack?

A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users by forcing hundreds of thousands of bots (usually computers compromised by a trojan virus) to connect to the target website simultaneously.

DDOS Illustration

By overloading the server, services can behave unexpectedly and hackers can take advantage of memory leaks or stack overflows and inject a remote access package.

What is an “XML Quadratic Blowup Attack”?

Similar to the Billion Laughs Attack, the Quadratic Blowup Attack uses nested entities in an XML document to repeatedly extract characters. The result is that a small file can require several hundred megabytes or even gigabytes of memory which can easily cripple a server.

For example:

<?xml version=”1.0??> ]>&x;&x;&x;&x;&x;&x;&x;&x;&x;…

If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size, which expands to 2.5 GB when parsed. 2

Is my website affected?

This vulnerability affects a wide range of websites, in particular:

  • WordPress 3.5 – 3.9 (latest version)
  • Drupal 6.x – 7.x (latest version)

Both WordPress and Drupal have already released software updates that remove the vulnerability! Since the auto-update mechanism was introduced back in WordPress 3.7 and 3.8, many WordPress sites have already fixed themselves. However, websites that require manual updating such as WordPress 3.0-3.6 and Drupal 6.x-7.x are still at risk.

Users should take precaution against this vulnerability immediately.

Comment on Full Disclosure: Security Risk of Crucial Details

Due to the potential target range of this vulnerability, Goldshlager responsibly notified the WordPress and Drupal core teams before releasing information to the public. This gave the teams time to create a fix before more hackers became aware of the issue, giving website owners a window to patch the problem.

WordPress & Drupal Vulnerabilities: Further Reading

If you think that your site is at risk, please contact Caorda Web Solutions today and we will help you secure your domain!