New vulnerability for WordPress and Drupal

Security vulnerabilities do not respect holidays!

On August 5, 2014, a new security flaw was published on the WordPress CMS and Drupal. The vulnerability is linked to any plugin additional and is available from the default configuration of these tools.

- What is it allows?

An XML bomb method named XML quadratic blowup attack, an attacker can create a denial of service by saturating resources RAM and CPU of the server hosting the site. < br / > This method is similar to the Billion Laughs attack that uses the entity expansion. The attacker sends an XML file that will generate a caching of a large amount of information on the server. With this method, a barely 200 KB XML file can occupy more than 100 MB in RAM, or even several GB depending on the original file structure.

Since when does it exist?

The information identified by the breaksec blog, the flaw exists on the following versions:

To test if your site is vulnerable you can use the following script: https://drive.google.com/file/d/0B2-5ltUODX1Lc3pGV0FjbUk4bjA/edit?usp=sharing

How to fix the?

< br / >

We remind you that it is recommended to regularly update your applications and services, to guarantee their stability and security. < br / >


Add new comment