WordPress and Drupal’s Major Vulnerability Threat and How To Fix It

WordPress and Drupal, two of the most popular website CMS platforms, have been facing a serious security threat that could break down an entire site and its server.

WordPress, in which almost 23% of the websites on the web are developed from; and Drupal, in which most advanced developers work on, have been facing the XML Quadratic Blowup Attack that can  consume 100% of the CPU and RAM usage, causing the server to reach its limit, and the MySQL database program to render a Denial of Service.

According to Nir Goldshlager, a security researcher from Salesforce.com, the XML Quadratic Blowup Attack can infect WordPress 3.5 to 3.9 versions and the default installation. Drupal 6.x to 7.x versions are also susceptible.

How the XML Quadratic Blowup Attacks

The XML Quadratic Blowup injects an XML document into the library file, which expands beyond the server’s memory limit. The default memory allocation limit for PHP is 128MB per process, while the MySQL database default max connection is 151; if multiplied, getting 19,328MB which is over the memory’s availability.

The XML Quadratic attacks the library file (XML-RPC for WordPress and similar function for Drupal) that triggers repetition of one large entity that can expand into thousands of characters until the server memory limit exceeded and become unusable. When the server breaks down, the website/s it hosts will crash also.

Fixes for the XML Quadratic Blowup Attack

The good news for WordPress and Drupal clients is that the two CMS platforms have updated their platforms to combat the attack of the XML Quadratic Blowup Attack. The fix is to update WordPress and Drupal. Recently WordPress 3.7 released its automatic updates that contain security patches to protect web hosts and websites.

Website clients can also choose to manually run the software updates, supposing their web hosts have switched off the automatic update settings.

Goldshlager, WordPress, and Drupal have been working together on fixing the security issues and have provided notice among its clientele to switch on the automatic software updates to prevent unwanted virus assaults.

If you need help in updating your CMS, you can call 9DotStrategies at +1-510-936-8878 (US Direct) or +63 02 846-6845 (PH).  9DotStrategies is a premier web development company that offers a wide range of services ranging from digital marketing to seo consultancy to being a web solutions company provider. We will help you select a CMS platform that suits the size and nature of your business, and integrate security measures in your site.

Leave a Reply



3 × nine =

Connect with Jonathan

Klout

Trust Cloud



9DotStrategies Corp Profile