Nir Goldshlager, a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.
The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.
With this type of attack, an XML document that might be a few hundred kilobytes in size can end up requiring hundreds of megabytes or even gigabytes of memory.
The vulnerability affects WordPress versions 3.5 to 3.9 (the current version) and works on the default installation. It affects Drupal versions 6.x to 7.x (the latest version) and also works on the default
How the attack is exploited
The default memory allocation limit for PHP (the language that WordPress and Drupal are written in) is 128MB per process. In theory, this means that you can't exceed the 128MB limit with an XML bomb request. So far so good, right?
Here's the problem: Apache, the world's most popular web server, has its "Max Clients" property set to 256 by default
. Meanwhile, MySQL, the database that WordPress and Drupal use, has its default "Max Connections" value set to 151.
If we multiply those connections against one another (128x151), we get 19328MB — which will consume all available memory.
To successfully attack the server, the attacker needs to fingerprint the available memory limit on the victim's server. If the attack overwrites the PHP limit, the server will reject the overwrite, rendering the attack unsuccessful.
A successful attack, however, will return the injected payload as a result. This will bring down the system.