Major vulnerability in WordPress and Drupal can put a site

Nir Goldshleger, a security researcher at Salesforce.com, discovered an XML vulnerability in WordPress and Drupal, writes Mashable. Vulnerability uses the well-known XML Quadratic Blowup Attack attack - and when it is executed, it can put the entire site or server almost instantly.

The XML vulnerability discovered by Goldshleger could lead to a 100% CPU and RAM load, making the server inaccessible and creating a DoS attack on the MySQL database. The vulnerability is present in WordPress from 3.5 to 3.9 (current version) and in Drupal from 6.x to 7.x (latest version). WordPress and Drupal have already released patches.

XML Quadratic Blowup Attack is similar to the Billion Laughs attack, which can allow a very small XML document to completely disrupt the services on a machine in seconds. Quadratic Blowup Attack, instead of using nested objects within an XML document, simply repeats one large entry with tens of thousands of characters over and over again.
')
With this type of attack, an XML document with a size of several hundred kilobytes may ultimately take up hundreds of megabytes or even gigabytes of memory. This will easily put the whole site or web server. According to Goldschleger:

<?xml version="1.0"?> <!DOCTYPE DoS [ <!ENTITY a "xxxxxxxxxxxxxxxxx..."> ]> <DoS>&x;&x;&x;&x;&x;&x;&x;&x;&x;...</DoS> </code> 

“If the attacker determines the length of the entity & x; 55 thousand characters and refers to this entity 55 thousand times inside the DoS element, the parser encounters XML Quadratic Blowup attack load of just over 200 KB in size, which expands to 2.5 GB when parsing. This extension will be enough to kill the parsing process. ”

In PHP, the default allocation limit is 128 MB for each process, that is, theoretically, you cannot exceed the limit of 128 MB with an XML bomb. However, in the Apache web server, the Max Clients parameter defaults to 256, and in the MySQL database the Max Connections parameter is set to 151 by default. If we multiply these connections against each other (128x151), we get 19328 MB - which will be consume all available memory.

To successfully attack a server, an attacker must determine the limit of available memory on the victim's server. If the attack exceeds the PHP limit, the server will reject the excess, which will make the attack unsuccessful. However, a successful attack will return the entered load and put the system: