Drupal and WordPress Coordinate Security Updates to Fix DoS Flaw

For the first time ever, the security teams at Drupal and WordPress have worked together on addressing a remotely exploitable vulnerability that affects tens of millions of websites that use their publishing platforms.

The flaw, a denial-of-service (DoS) issue in PHP XML parsing, was reported to Drupal and WordPress by Nir Goldshlager, a senior security researcher at Salesforce.com, and founder of Israel-based Break Security.

XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls, is utilized by both content management systems (CMSs). Because of a vulnerability in the PHP XML parser, an attacker can cause a website’s database to reach the maximum number of open connections, and the exhaustion of the CPU and memory, resulting in a denial of service state.

“This phenomenon is predicated on a well-known cyber attack, known as the XML Quadratic Blowup Attack. This is starkly different from the customary XML bomb exploitation, in the sense that it distorts the Memory Limit and MySQL, and Apache Max Clients works,” Goldshlager explained on the Break Security blog. “This bug can be utilized without the aid of any plugins, and it functions smoothly on the Default installation of WordPress and Drupal. Only one machine needed to exploit this vulnerability.”

XML Quadratic Blowup attacks are variations of XML Entity Expansion attacks. XML Quadratic Blowup is similar to a Billion Laughs attack, which is also known as an XML bomb or exponential entity expansion attack.

Cloud-based website performance and security services provider Incapsula has issued an emergency patch to protect its Web Application Firewall (WAF) customers against such attacks. The company points out the fact that this type of exploit doesn’t rely on recursion like a Billion Laughs attack, which makes it more difficult to detect and mitigate.

“This ability to avoid detection is what makes this recently discovered vulnerability so dangerous. It could be said that this exploit only ‘bends the rules’, without actually breaking them. This fact, combined with the extremely large number of affected sites and the high damage potential, makes this vulnerability a triple threat – widespread, crippling and hard to weed out,” Incapsula’s Igal Zeifman wrote in a blog post.

The flaw has been fixed in WordPress with the release of version 3.9.2, and in Drupal with the release of versions 6.33 and 7.31. Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team produced a fix for the issue. The latest WordPress contains other security changes as well, but Drupal has rolled out the update only to fix the DoS vulnerability.

The vulnerability affects all WordPress and Drupal websites so users are advised to update their installations as soon as possible.

Goldshlager has published a video demonstrating a DoS attack against a WordPress website.