Major DoS Vulnerability in WordPress and Drupal

By August 7, 2014Uncategorized

WebOzy
WebOzy – the web services company

Some of you may be experiencing issues with your sites or others today. Pretty much boils down to another bad day for the internet.

We have had several major security issues on the internet this year, including the recent Heartbleed debacle. Now, security researcher Nir Goldshlager has discovered an XML vulnerability that impacts both WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack that, when executed, can take down an entire website or server almost instantly.

WordPress and Drupal are by far the most widely used CMSs, and since most of our clients are running sites on these platforms, we want everyone to be aware of the vulnerability. It affects WordPress versions 3.5 to 3.9 (the current version) and Drupal versions 6.x to 7.x (the latest version), but both WordPress and Drupal have released patches that protect against the vulnerability.

How the attack works

The Quadratic Blowup Attack uses nested entities inside an XML document, repeating one large entity with tens of thousands of characters over and over again. The XML document itself may only be a few hundred kilobytes in size can end up requiring hundreds of megabytes or even gigabytes of memory.  That will easily bring down an entire web server.

In Goldshlager’s words:

“If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size that expands to 2.5 GB when parsed. This expansion is enough to take down the parsing process.”

In other words, your website is buggered.

Why this is a big deal

We regularly see new vulnerabilities and deal with them as they arise. The great thing about open source software is the usual quick availability of patches. The problem with this particular vulnerability is the ease of its execution which therefore leads to widespread use.

The fix

New releases of both WordPress and Drupal have been made available. The update procedure will vary based on your setup.

If you’re using one of our managed hosting packages, chances are you’ve already been updated. If you’re managing your own site, you’ll want to update right away or contact us for help.

Regardless of whether or not your site is fixed, quite a few web hosting companies are struggling overall. In our case, that means our upstream providers are working to fix the issue, but there may be intermittent outages in the meantime.

We continue to experience network latency impacting site performance and page loads. Our Engineers are working to mitigate the malicious inbound traffic we have been experiencing. Due to the variable nature of this type of disruption we are unable to offer an ETA for resolution at this time. ~ Rackspace support

Major DoS Vulnerability in WordPress and Drupal
Nicholas Garofalo

Leave a Reply