Just as I released my latest article about the Top 10 Vulnerable WordPress Plugins, a new concern about the security of WordPress powered websites appeared, as if to confirm my previous impressions. SalesForce.com’s security researcher Nir Goldschlager discovered a PHP-level vulnerability that could result in denial of service (DoS) attacks. The exploit in question is a variant of a XML-RPC Entity Expansion (XEE) method, best described as a more effective version of the “Billions Laugh” attack. In other words, the websites running on WordPress and Drupal have possible exposures to XML attacks which can cause CPU and memory exhaustion, and MySQL to reach the maximum amount of open connections. Knowing that these two applications serve cumulatively around 30% of all the webpages around the world this really was a cause of concern. Good thing that right after Goldshlager notified the PHP, WordPress, and Drupal security teams all at once, their developers were quick to the trigger and already released updates that tackle this issue.
How it works?
In its essence this type of attack uses, what is called, an XML Quadratic Blow Attack. In simple terms – imagine a simple, small XML document. Normally it will take just some kilobytes of space. This vulnerability allows an entity of this document, containing a large number of characters, to be replicated over and over until it requires so much resources that it literally takes down your website, or even the entire server it is hosted on. We are talking about a repetition of thousands of characters, requiring gigabytes of memory in a matter of seconds!
What to do?
Luckily, due to the seriousness of the matter, the developers of the two affected applications did not waste any time and already came up with the needed fixes, incorporated in their new security updates – WordPress 3.9.2 and Drupal 6.33 /7.31. Interstingly, this is the first that the WordPress and Drupal security teams have collaborated. Some found the collaboration itself a lot more interesting rather than the vulnerability itself. It certainly goes to show us just how beneficial Open Source is, that two completely different CMS platforms are able to quickly close such security holes. The effects of the latest threat were discovered on WP versions 3.5 and above, as well as Drupal 6.x and 7.x. The patch itself is for an external library that WordPress has always used, called the Incutio XML-RPC Library. Drupal uses a derivative of the same library, thus making the collaboration between the two teams quite logical and straightforward.
WordPress will be automatically upgrading all eligible websites from WordPress 3.7 to WordPress 3.9 major versions to include the above mentioned fixes, as well as the WordPress 4.0 beta. The latest stable branch is now WordPress 3.9.2, and the WordPress 4.0 development branch is in beta 3. The release of WordPress 4.0 is still on the docket for the week of August 25th. If you have automatic updates enabled for WordPress, you should have seen them roll out by now, otherwise, you can download it from WordPress.org. All those people who don’t use an autoupdater are strongly advised to update their scripts as soon as possible to avoid any possible negative consequences. Needless to say, users with earlier versions than the ones affected are urged to update anyways. Once again it all comes down to that.
WebHostFace Customers Protected
WebHostFace have already taken the needed server precautions to mitigate the vulnerability and the guys from Softaculous have already included the new script releases in the installer you can find in your cPanel. We would like to give a big “Thank You” to Mr Goldschlager for properly disclosing the issue with the script developers before releasing the information publicly, as well as the WordPress and Drupal teams who acted swiftly in finding a solution.