CHINA TOPIX

12/22/2024 09:54:50 pm

Make CT Your Homepage

Dangereous Vulnerability Threatens WordPress and Drupal Websites

WordPress website

WordPress website

Bloggers and web owners that use Wordpress or Drupal, two of the leading content management systems, are being asked to update their software as soon as possible.

An XML vulnerability affecting both WordPress and Drupal has been discovered by a product security team from Salesforce.com.

Like Us on Facebook

The vulnerability uses a well-known "XML Quadratic Blowup Attack" that could take down the entire website or server very quickly.

This is a huge problem because an enormous number of websites are run under Wordpress and Drupal.

The World Wide Web Consortium (WC3) said Wordpress powers 23 percent of all websites on the web.

The security team discovered the XML vulnerability affects the WordPress versions 3.5 to 3.9 and functions on the default installation.

In Drupal, it affects versions 6.x to 7.x and is on default installation as well.

The XML Quadratic Blowup Attack is also similar to the Billion Laughs attack that allows a small XML document to quickly cause a fracture in services running on a computer.

Instead of using nested entities inside an XML document, Quadratic Blowup will just repeatedly repeat a single large entity that has tens of thousands of characters.

A kilobyte XML document in memory becomes a megabyte or even gigabyte in size, making the website unusable.

When the XML vulnerability works, it causes 100 percent RAM and CPU usage and renders the server unavailable. There will be a Denial of Service attack on the MySQL database program.

As a result, both the website and its web server become inaccessible.

Real Time Analytics