• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Security
  • WordPress and Drupal websites Vulnerable to DoS attack which can make them completely inaccessible

WordPress and Drupal websites Vulnerable to DoS attack which can make them completely inaccessible

Pierluigi Paganini August 07, 2014

The popular expert Nir Goldshlager has discovered an XMLRPC vulnerability which affects millions WordPress and Drupal websites exposing them to DoS Attack.

If your website is based a WordPress or Drupal CMS you need to urgently update it to the last version released due to the presence of a critical vulnerability in the implementation of XMLRPC. XMLRPC is a remote procedure call (RPC) protocol which uses XML to encode its request and the HTTP as a carrier. The vulnerability is critical because millions of websites currently use WordPress and Drupal, the XML vulnerability is present in WordPress versions from 3.5 to 3.9.1 and Drupal versions from 6.x to 7.x.
The critical flaw, which affects all previous versions of WordPress, could be exploited by an attacker to conduct a Denial of Service (DoS) attack against our our website.
The vulnerability in the CMSs was discovered by the popular expert Nir Goldshlager, it is a problem related to the PHP’s XML processor that was promptly fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.
As explained by the research Goldshlager in his blog post, a hacker could exploit a know technique of attack, the XML Quadratic Blowup Attack, to make the targeted website completely inaccessible instantly due to the saturation of memory, CPU and of the pool of open connections.

Goldshlager highlights the similitude of the XML quadratic blowup attack with the Billion Laughs attack, it basically exploits the use of entity expansion, this means that it replicates one large entity using a couple thousand characters repeatedly.

“A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success.”

In the following example provided by the expert, if the attacker defines the entity “&x;” as 55,000 characters long, and uses this entity 55,000 times inside the XML “DoS” element, the parser will expand to 2.5 GB the document causing the saturation of resources of targeted website.

<?xml version=”1.0″?> 
<!DOCTYPE DoS [!<ENTITY a "xxxxxxxxxxxxxxxxx...">]>
<DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;…</DoS>

wordpress Drupal hacking

Following a video Proof of Concept of the attack on WordPress published by Goldshlager, while the PoC Exploit: (128MB Memory limit) is available at the address below

https://drive.google.com/file/d/0B2-5ltUODX1Lc3pGV0FjbUk4bjA/edit?usp=sharing

Both WordPress and Drupal have released an update today to fix the problem, all users that have chosen to manually update their CMS instance, urge to upgrade it to the latest version.

Pierluigi Paganini

(Security Affairs –  Drupal, WordPress, hacking)  


facebook linkedin twitter

Billion Laughs attack Denial of Service Drupal Hacking Nir Goldshlager Wordpress

you might also like

Pierluigi Paganini August 18, 2025
AI for Cybersecurity: Building Trust in Your Workflows
Read more
Pierluigi Paganini August 18, 2025
Human resources firm Workday disclosed a data breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    AI for Cybersecurity: Building Trust in Your Workflows

    Security / August 18, 2025

    Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

    APT / August 16, 2025

    New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

    Malware / August 15, 2025

    Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

    Security / August 15, 2025

    'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

    Malware / August 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT