WordPress or on Drupal are Vulnerable in DoS ATTACK

The XML vulnerability is present in WordPress versions 3.5 to 3.9.1 (the latest version) and works on the default installation. The same vulnerability affects Drupal versions 6.x to 7.x (the current version) and also works on the default installation.
Both WordPress and Drupal have released an update today to address this problem and all users should upgrade to the latest version as soon as possible.
WordPress 3.7 introduced automatic updates which allows security patches, such as this one, to get rolled out to users automatically.

The issue is actually serious because WordPress and Drupal is being used by millions of websites. The recent statistics from the World Wide Web Consortium (WC3) says that WordPress alone powers nearly 23% of the web, and over one million websites used by Drupal.
WordPress is a free and open source blogging tool and a content management system (CMS) with more than 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, therefore it is easy to setup and use, that’s why tens of millions of websites across the world opt it.

The latest update of WordPress 3.9.2 mainly addresses an issue in the PHP’s XML processor that could be exploited to trigger a DoS (denial of service) attack. The vulnerability affects all previous versions of WordPress.
The XML vulnerability was first reported by Nir Goldshlager, a security researcher from Salesforce.com's product security team, that impacts both the popular website platforms. The issue was later fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team.

As explained earlier, the XML vulnerability makes use of an XML Quadratic Blowup Attack, which is almost similar to a ‘Billion Laughs attack’ that allows a very small XML document to completely disrupt the services on machine in a matter of seconds.
The XML Quadratic Blowup Attack exploits the use of entity expansion, instead of using nested entities inside an XML document, it replicates one large entity with tens of thousands of characters over and over again.
In this type of attack, a medium-sized XML document of nearly two hundred kilobytes in size could require within the range of hundreds of megabytes to several gigabytes of memory. That if exploited by an attacker, could easily bring down an entire website or web server.
"If an attacker defines the entity "&x;" as 55,000 characters long, and refers to that entity 55,000 times inside the "DoS" element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size that expands to 2.5 GB when parsed. This expansion is enough to take down the parsing process," Nir Goldshlager wrote in his blog.
Goldshlager has also provided a video demonstration as a proof-of-concept to the WordPress Denial of Service attack.

The owner of blogmytut.blogspot.com will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.Report any Broken Download linkon Blogmytuts Facebook Page. IF YOU WANT TO BORROW MY CONTENT PLEASE CONTACT US..
Share on Google Plus

About Jaime Lacson

A Freelance Computer Tech with knowledge about computer, router and mobile phones, especially in Upgrade and Downgrade OS, Software and Hardware troubleshooting. follow me at Google+
    Blogger Comment
    Facebook Comment