August 8th, 2014 by Tommy McConnell

Two major website platforms were impacted by an Extensible Markup Language (XML)vulnerability. The vulnerability uses a XML Quadratic Blowup Attack that can take down a website or server instantly. WordPress and Drupal were affected by this. WordPress hosts 23% of existing websites.  This vulnerability influenced WordPress versions 3.5 to 3.9, and Drupal versions 6.x to 7.x. Both also were affected with the vulnerability on the default installation.

No need to worry, though! The patches for the applications were released. Simply upgrade whichever host you’re using to the latest version to protect your website. The vulnerability uses up to 100% CPU and RAM due to the server being unavailable. It also can create a Denial of Service on the MySQL database. All in all, your website becomes completely inaccessible.

So how does this attack work, you ask? Well, this type of attack allows a very small XML document to disrupt by repeating one large entity with over thousands of characters over and over and over again. For example, a document could be a couple hundred megabytes, but can end up needing hundreds of megabytes-maybe even gigabytes in some cases. The entire website would be down if this happened.

WordPress and Drupal have a limit for PHP, which is the language the websites are written in. The limit is 128 megabytes per process, so that should mean you cannot exceed the limit. However, the problem is the most popular web server gives its “Max Clients” 256 megabytes. Meanwhile, WordPress and Drupal have their maximum value set to 151 megabytes. So if you multiply the two, the product is 19,238 megabytes, which means all available memory is consumed.

The problem is fixed through updating software, which both companies did. The procedure need to be taken will vary upon the setup. WordPress now allows automatic updates for releases. Therefore, security patches are automatically rolled out to users. If you don’t have automatic updates, be sure to update manually every once in a while to protect your site.

XML vulnerability is no longer in affect because the patches are now in action. Be sure to keep this all in mind, just in case something similar were to happen, though!





Leave a Reply

Your email address will not be published. Required fields are marked *