Major vulnerability in WordPress and Drupal could put a site

    image

    Nir Goldschleger, a security researcher at Salesforce.com, discovered the XML vulnerability in WordPress and Drupal, writes Mashable. The vulnerability uses the well-known XML attack Quadratic Blowup Attack - and when executed, it can almost instantly put the entire site or server.

    The XML vulnerability discovered by Goldschleger can lead to 100% processor load and RAM, which will make the server inaccessible and create a DoS attack on the MySQL database. Vulnerability is present in WordPress from 3.5 to 3.9 (current version) and in Drupal from 6.x to 7.x (latest version). WordPress and Drupal have already released patches.

    The XML Quadratic Blowup Attack is similar to the Billion Laughs attack, which can allow a very small XML document to completely disrupt services on the machine in seconds. Instead of using nested objects within an XML document, the Quadratic Blowup Attack simply repeats one large record with tens of thousands of characters over and over.

    With this type of attack, an XML document that is several hundred kilobytes in size can end up occupying hundreds of megabytes or even gigabytes of memory. It will easily put the whole site or web server. According to Goldschleger:

    <?xml version="1.0"?>
    <!DOCTYPE DoS [
      <!ENTITY a "xxxxxxxxxxxxxxxxx...">
    ]>
    <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;...</DoS>
    </code>


    “If an attacker determines the length of the entity & x; 55 thousand characters and refers to this entity 55 thousand times inside the DoS element, the parser faces an XML Quadratic Blowup attack load of just over 200 KB in size, which expands to 2.5 GB when parsing. This extension will be enough to kill the parsing process. ”

    In PHP, the default memory allocation limit is 128 MB for each process, that is, theoretically, you cannot exceed the 128 MB limit with an XML bomb. However, in the Apache web server, the “Max Clients” parameter is 256 by default, and in the MySQL database, the “Max Connections” parameter is set to 151 by default. If we multiply these connections against each other (128x151), we get 19328 MB - which will be consume all available memory.

    In order to successfully attack the server, the attacker must determine the limit of available memory on the victim's server. If the attack exceeds the PHP limit, the server will reject the excess, which will make the attack unsuccessful. However, a successful attack as a result will return the entered load and put the system:


    Also popular now: