homepage Welcome to WebmasterWorld Guest from 54.197.183.230
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Content Management
Forum Library, Charter, Moderators: ergophobe

Content Management Forum

    
Denial of Service Security Vulnerability in WordPress, Drupal
Patches Available - August 6, 2014
Robert Charlton

WebmasterWorld Administrator robert_charlton us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4694327 posted 6:32 am on Aug 10, 2014 (gmt 0)

Announcement of a Denial of Service vulnerability potentially affecting default installations of WordPress versions 3.5 to 3.9, and default installations of Drupal versions 6.x to 7.x. Patches and upgrades available....


Major Security Vulnerability in WordPress, Drupal Could Take Down Websites
Aug 6, 2014
[mashable.com...]
If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.

Nir Goldshlager [breaksec.com], a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack and when executed, it can take down an entire website or server almost instantly....

See...
- WordPress 3.9.2 Security Release [wordpress.org...]
- SA-CORE-2014-004 - Drupal core - Denial of service [drupal.org...]

 

Kendo

5+ Year Member



 
Msg#: 4694327 posted 8:41 pm on Aug 10, 2014 (gmt 0)

Because of the potential vector size of this vulnerability, xxxx made sure to responsibly disclose the vulnerability to the WordPress and Drupal teams before sharing the results with the public.


Really? So these clever bunnies gave the CMS makers 5 minutes warning before advertising the exploit to the public?

How often do we see this and how absoluteley caring for attention to their self. I for one do not want to update my CMS versions, especially when they may be customized and/or require PHP and/or MYSQL versions not avilable on my server.

As for the potential of being exploited, if these prats did the right thing and informed the CMS makers only then it would be very unlikely for the vulnerability to ever be exploited!

Kendo

5+ Year Member



 
Msg#: 4694327 posted 9:20 pm on Aug 10, 2014 (gmt 0)

Apparently the XML function can be disabled by adding the following code to the .htaccess file...


# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>


This can apply to both Drupal amd WordPress.

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4694327 posted 6:29 pm on Aug 13, 2014 (gmt 0)

I saw this report shortly after it came out, but the fixes were rolled out fast enough that I had actually updated critical sites before I got the Sucuri notice.

Wordpress used to always have it disabled by default, though the file addresses are widely known. A few version ago WP finally decided it was secure enough to enable it by default.

Kendo - in addition to blocking access to xmlrpc.php, the Drupal security notice says that on Drupal you should disable the OpenID module. Since almost nobody I know actually has it enabled, that's likely a moot point, but I thought I'd mention it.

In any case, not to diminish the threat of a DDOS attack, but it's not the same to me as what I would consider a true security threat that allows access to secure areas of the site or allows installing malware on the site.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Content Management
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved