Security teams cooperate and release improved versions of their CMS solution

Aug 7, 2014 07:49 GMT  ·  By

Incorrect XML processing on WordPress and Drupal websites has been patched by the security teams of the two CMS solutions, in an unprecedented joint effort; the vulnerability is present in all WordPress and Drupal websites, except the latest releases.

According to Incapsula, before the repair, the glitch affected “over 250 million websites, roughly 23% of the Internet website population today.”

The result of the collaboration between the two developers is the availability of WordPress 3.9.2 and Drupal versions 7.31 and 6.33. They integrate a security fix that prevents an attacker from conducting denial of service (DoS) attacks leveraging faulty XML processing by the PHP component available in the XML-RPC implementation.

The discovery of the issue is credited to Nir Goldshlager of the Salesforce.com product security team, who alerted the security teams at WordPress, Drupal and PHP.

Although the problem was easily repaired, it had major implications because of the large number of websites using the two solutions; an attacker could take advantage of it and cause a denial-of-service condition on a targeted website by exhausting CPU and memory resources.

Goldshlager describes the specifics of the issue saying that no plug-ins are necessary for the attack, which functions on any vulnerable version of Drupal and WordPress with the default configuration and can be carried out from a single machine.

He said that during the attack a large entity is replicated using a few thousand characters repeatedly. The method is called “entity expansion” and it basically starts increasingly large processing tasks.

“A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success,” Nir Goldshlager wrote on his blog at Break Security.

Eliminating the risk for the users has been a priority in the case of the two CMS solutions, as WordPress delivered about two million automatic updates to its clients in just one hour.

Igal Zeifman from Incapsula says that this type of attack “cannot be mitigated by most existing security measures.” He also added that the exploit “is a variant of a XML-RPC Entity Expansion (XEE) attack that is best described as a more effective version of the ‘Billions Laugh’ attack.”

Users are advised to update their versions of WordPress and Drupal to the newest builds immediately, in order to avoid the risk of an attacker disrupting the activity of their websites.

Goldshlager made a video with the proof-of-concept of the attack on WordPress, which can be watched below.