Learning from the Drupal/WordPress vulnerability

An XML vulnerability that affects the most common versions of both WordPress and Drupal could potentially impact over a quarter of all websites that exist, analysts revealed last week. Simultaneously as the news was made public, both companies released patches that protect against this vulnerability, that, when exploited, can take down an entire website or server, cause 100 percent CPU and RAM usage, as well as create a Denial of Service attack on the MySQL database program. In essence, the attack could be devastating. According to online analysis, the vulnerability uses an XML Quadratic Blowup Attack, allowing an XML entity to quickly and totally overload a machine by repeating tens of thousands of characters.

Both WordPress and Drupal immediately updated their software, and those users who have automated updates built into their setup are most likely already safe from exposure. The efficient handling of the updates was in part due to the controlled public release of the vulnerability’s existence, to help WordPress and Drupal patch their applications before exploitation could occur on a wide scale.

“Given the nature of this type of attack — and the relative ease in which it could have been exploited — the repercussions for plenty of website owners and web hosts could have been innumerable,” the company that discovered the vulnerability reflected. “Responsible disclosure was the best way to get the issue out in the open, and also fixed.”

“As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers start searching for vulnerable websites,” Ilia Kolochenko, CEO at High-Tech Bridge, commented in an email to SCmagazineUK.com. “Once a victim is identified, their website gets hacked, patched (to prevent “competition” to overtake the same site) and backdoored,” he continued, “any website can be easily sold on the black market.”

“Hacking is a sad reality,” Kolochenko observed, “but Drupal is doing a very good job of mitigating the risks, by quickly making people aware of them.”