• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress and Drupal Core Denial Of Service Vulnerability – Moderately Critical

August 6, 2014David Dede

FacebookTwitterSubscribe

Both WordPress and Drupal are affected by a DoS (denial of service) vulnerability on the PHP XML parser used by their XMLRPC implementations. The issue lies in the XML entity expansion parser that can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. That will cause the vulnerable site (and server) to go down for a period of time, hence affecting availability of your website.

Kudos to the security teams from both platforms for their collaboration and synchronized disclosure.

The bug was discovered by Nir Goldshlager and disclosed on his blog at BreakSec. He goes onto to explain the specifics of the issue:

An XML quadratic blowup attack is similar to a Billion Laughs attack. Essentially, it exploits the use of entity expansion. Instead of deferring to the use of nested entities, it replicates one large entity using a couple thousand characters repeatedly.

A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success.

..

If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size, which expands to 2.5 GB when parsed.

WordPress and Drupal sites are vulnerable to this attack whether XML-RPC is used or not. This is not a vulnerability to be taken lightly. This also has large reaching impacts, any other applications leveraging a similar XMLRPC implementation is vulnerable.

Both projects, WordPress and Drupal, released an update today to address this problem and all users should upgrade asap to the latest version. Since this bug is trivial to exploit, we expect to see it in the wild very soon.

Because of the wide ranging impacts, it’s categorized as Moderately Critical. Any time availability is affected, one of the pillars that makes up the security triad, severity goes up. In this case, websites and web servers will go down. This emphasis on it being minor is incorrect, from a security perspective.

Sucuri - Security Triad

Sucuri Customers Protected

Customer using our Website Firewall (CloudProxy) product are currently protected via our Virtual Patching. This will be especially useful for those that are running out of date versions of the platforms and are unable to update, hence making them susceptible to the attack.

FacebookTwitterSubscribe

Categories: Drupal Security, Vulnerability Disclosure, WordPress SecurityTags: DDoS

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Jon Schroeder

    August 6, 2014

    Does this address the (I believe) related issue with people using XMLRPC to attempt logins to a site and use the responses to gain information about correct usernames/passwords (I’m probably saying something incorrectly here, but you probably know what I’m talking about).

  2. Thomas Zickell

    August 8, 2014

    the update takes care of some extremely vulnerable parts of WordPress you should update ASAP this has much more to do with security update than it does with functionality. Better yet buy CloudProxy do not worry

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.