WordPress and Drupal websites Vulnerable to DoS attack which can make them completely inaccessible

August 7, 2014  By Pierluigi Paganini


The popular expert Nir Goldshlager has discovered an XMLRPC vulnerability which affects millions WordPress and Drupal websites exposing them to DoS Attack.

If your website is based a WordPress or Drupal CMS you need to urgently update it to the last version released due to the presence of a critical vulnerability in the implementation of XMLRPC. XMLRPC is a remote procedure call (RPC) protocol which uses XML to encode its request and the HTTP as a carrier. The vulnerability is critical because millions of websites currently use WordPress and Drupal, the XML vulnerability is present in WordPress versions from 3.5 to 3.9.1 and Drupal versions from 6.x to 7.x.
The critical flaw, which affects all previous versions of WordPress, could be exploited by an attacker to conduct a Denial of Service (DoS) attack against our our website.
The vulnerability in the CMSs was discovered by the popular expert Nir Goldshlager, it is a problem related to the PHP’s XML processor that was promptly fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.
As explained by the research Goldshlager in his blog post, a hacker could exploit a know technique of attack, the XML Quadratic Blowup Attack, to make the targeted website completely inaccessible instantly due to the saturation of memory, CPU and of the pool of open connections.

Goldshlager highlights the similitude of the XML quadratic blowup attack with the Billion Laughs attack, it basically exploits the use of entity expansion, this means that it replicates one large entity using a couple thousand characters repeatedly.

“A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success.”

In the following example provided by the expert, if the attacker defines the entity “&x;” as 55,000 characters long, and uses this entity 55,000 times inside the XML “DoS” element, the parser will expand to 2.5 GB the document causing the saturation of resources of targeted website.

<?xml version=”1.0″?> 
<!DOCTYPE DoS [!<ENTITY a "xxxxxxxxxxxxxxxxx...">]>
<DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;…</DoS>
wordpress Drupal hacking

Following a video Proof of Concept of the attack on WordPress published by Goldshlager, while the PoC Exploit: (128MB Memory limit) is available at the address below

https://drive.google.com/file/d/0B2-5ltUODX1Lc3pGV0FjbUk4bjA/edit?usp=sharing

Both WordPress and Drupal have released an update today to fix the problem, all users that have chosen to manually update their CMS instance, urge to upgrade it to the latest version.

Pierluigi Paganini

(Security Affairs –  Drupal, WordPress, hacking)  



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

FBI infected PCs on a large scale to persecute alleged criminals

 A report disclosed by Wired suggests that the FBI is using a malware to identify Tor users by infecting machines on a large...