Welcome to WebmasterWorld Guest from

Forum Moderators: ergophobe

Message Too Old, No Replies

Denial of Service Security Vulnerability in WordPress, Drupal

Patches Available - August 6, 2014


Robert Charlton

6:32 am on Aug 10, 2014 (gmt 0)

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Announcement of a Denial of Service vulnerability potentially affecting default installations of WordPress versions 3.5 to 3.9, and default installations of Drupal versions 6.x to 7.x. Patches and upgrades available....

Major Security Vulnerability in WordPress, Drupal Could Take Down Websites
Aug 6, 2014
If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.

Nir Goldshlager [breaksec.com], a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack and when executed, it can take down an entire website or server almost instantly....

- WordPress 3.9.2 Security Release [wordpress.org...]
- SA-CORE-2014-004 - Drupal core - Denial of service [drupal.org...]


8:41 pm on Aug 10, 2014 (gmt 0)

10+ Year Member Top Contributors Of The Month

Because of the potential vector size of this vulnerability, xxxx made sure to responsibly disclose the vulnerability to the WordPress and Drupal teams before sharing the results with the public.

Really? So these clever bunnies gave the CMS makers 5 minutes warning before advertising the exploit to the public?

How often do we see this and how absoluteley caring for attention to their self. I for one do not want to update my CMS versions, especially when they may be customized and/or require PHP and/or MYSQL versions not avilable on my server.

As for the potential of being exploited, if these prats did the right thing and informed the CMS makers only then it would be very unlikely for the vulnerability to ever be exploited!


9:20 pm on Aug 10, 2014 (gmt 0)

10+ Year Member Top Contributors Of The Month

Apparently the XML function can be disabled by adding the following code to the .htaccess file...

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

This can apply to both Drupal amd WordPress.


6:29 pm on Aug 13, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

I saw this report shortly after it came out, but the fixes were rolled out fast enough that I had actually updated critical sites before I got the Sucuri notice.

Wordpress used to always have it disabled by default, though the file addresses are widely known. A few version ago WP finally decided it was secure enough to enable it by default.

Kendo - in addition to blocking access to xmlrpc.php, the Drupal security notice says that on Drupal you should disable the OpenID module. Since almost nobody I know actually has it enabled, that's likely a moot point, but I thought I'd mention it.

In any case, not to diminish the threat of a DDOS attack, but it's not the same to me as what I would consider a true security threat that allows access to secure areas of the site or allows installing malware on the site.

Featured Threads

Hot Threads This Week

Hot Threads This Month