Categories: HackingSecurity

WordPress and Drupal websites Vulnerable to DoS attack which can make them completely inaccessible

The popular expert Nir Goldshlager has discovered an XMLRPC vulnerability which affects millions WordPress and Drupal websites exposing them to DoS Attack.

If your website is based a WordPress or Drupal CMS you need to urgently update it to the last version released due to the presence of a critical vulnerability in the implementation of XMLRPC. XMLRPC is a remote procedure call (RPC) protocol which uses XML to encode its request and the HTTP as a carrier. The vulnerability is critical because millions of websites currently use WordPress and Drupal, the XML vulnerability is present in WordPress versions from 3.5 to 3.9.1 and Drupal versions from 6.x to 7.x.
The critical flaw, which affects all previous versions of WordPress, could be exploited by an attacker to conduct a Denial of Service (DoS) attack against our our website.
The vulnerability in the CMSs was discovered by the popular expert Nir Goldshlager, it is a problem related to the PHP’s XML processor that was promptly fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.
As explained by the research Goldshlager in his blog post, a hacker could exploit a know technique of attack, the XML Quadratic Blowup Attack, to make the targeted website completely inaccessible instantly due to the saturation of memory, CPU and of the pool of open connections.

Goldshlager highlights the similitude of the XML quadratic blowup attack with the Billion Laughs attack, it basically exploits the use of entity expansion, this means that it replicates one large entity using a couple thousand characters repeatedly.

“A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success.”

In the following example provided by the expert, if the attacker defines the entity “&x;” as 55,000 characters long, and uses this entity 55,000 times inside the XML “DoS” element, the parser will expand to 2.5 GB the document causing the saturation of resources of targeted website.

<?xml version=”1.0″?> 
<!DOCTYPE DoS [!<ENTITY a "xxxxxxxxxxxxxxxxx...">]>
<DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;…</DoS>

Following a video Proof of Concept of the attack on WordPress published by Goldshlager, while the PoC Exploit: (128MB Memory limit) is available at the address below

https://drive.google.com/file/d/0B2-5ltUODX1Lc3pGV0FjbUk4bjA/edit?usp=sharing
Both WordPress and Drupal have released an update today to fix the problem, all users that have chosen to manually update their CMS instance, urge to upgrade it to the latest version.

Pierluigi Paganini

(Security Affairs –  Drupal, WordPress, hacking)  

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: Billion Laughs attackDenial of ServiceDrupalHackingNir GoldshlagerWordpress
10 years ago

Recent Posts

CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog

CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…

7 hours ago

CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…

14 hours ago

DOJ arrested the founders of crypto mixer Samourai for facilitating $2 Billion in illegal transactions

The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…

14 hours ago

Google fixed critical Chrome vulnerability CVE-2024-4058

Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…

19 hours ago

Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks

Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…

1 day ago

Hackers hijacked the eScan Antivirus update mechanism in malware campaign

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…

2 days ago

This website uses cookies.