Enquiry
SynapseIndia - Custom Software Development Company
Technologies
eCommerce Services
CMS Development
Website Development
Mobile App Development
Microsoft Solutions
Website Designing

Reasons of Software Security Blemish Affecting Millions of Drupal Sites

calender 24 Sep 2014

“The new vulnerabilities detected in Drupal have made impact on decision of several businesses planning for Drupal website development. Besides Drupal, WordPress is another powerful CMS facing the vulnerability issue. However, updating the Drupal/WordPress website is proving to be an effective solution to this issue.”

.One of the most used content management systems, the "very popular" Drupal has new vulnerabilities that are expected to affect several websites based on it. Its quite a severe flaw discovered by Nir Goldshalger who found that it becomes a lot easier to take down a Drupal website with some simple keystrokes.

While the news severly affected the decision of businesses planning to go for Drupal website development, it also raised the urgency to find a quick solution to the issue. It was necessary as even a number of US government sites are Drupal based. The vulnerability has come to light owing to the potential Denial of Service (DoS) issue with PHP's XML processing module that is used by Drupal.

How Goldshalger Highlighted the Drupal Vulnerability !

Goldshalger made use of the modified version of XML Quadratic Blowup Attack to build a site-killing hack and thus discovered the flaw. The file prompts the server to parse a huge number of variables several times, thus causing the server to toil extremely hard till it comes close to a server-crash state.

He also provided the details of the hack made by him to the relevant company prior to releasing the discovery for its publication. Goldshalger also explained that its quite possible to employ the vulnerability without making use of any plug-ins and in the case of default installation of the CMS, the vulnerability works seamlessly.

Its Not Merely Drupal Facing the Heat Here...

Besides the popular CMS Drupal, the flaw was also detected in WordPress, a CMS that solely empowers around 23% of the web. While the XML vulnerability makes impact on Drupal versions 6.x to 7.x, it affects versions 3.5 to 3.9 of WordPress.

Exploiting the Attack

For PHP (the language employed for writing WordPress and Drupal), the memory allocation limit by default is 128MB per process. It simply means that one can't go over the mentioned 128MB limit with any XML bomb request.

Let's understand the problem. The "Max Clients" property of the world's most eminent web server Apache is set to 256 by default. In  the meantime, the default "Max Connections" value of MySQL, the popular database used by  WordPress and Drupal has been set to 151.

On multiplying these connections (128x151), what we attain is 19328MB, which  is capable of consuming all available memory.  The attacker will require fingerprinting the memory limit available on the victim's server if he desires to attack the server with success.

However, in case the attack overwrites the pre-defined PHP limit, the overwrite will get rejected by the server, thereby rendering the attack attempt unsuccessful. But in case the attack is successful, it will surely bring down the complete system.

 How to Fix the Drupal & WordPress Vulnerability Issue

In order to provide users optimum protection from the vulnerability, Drupal and WordPress have gone for updating their software. Based on your setup, the update procedure will differ. So, its recommended that all Drupal and WordPress site users immediately update their websites.

Editor's Desk
"From the Editor's Desk" is not just about the content. Our content writers will be sharing their thoughts on industry trends, new technologies, and emerging topics that are relevant to our readers. We believe that it's important to stay up-to-date with the latest news and trends, and We excited to share my thoughts and insights with you.
Most Popular Post
Hire SynapseIndia for Offshore outsourcing & C# development

calender24 Sep 2018

Hire SynapseIndia for Offshore outsourcing & C# development

read more
Software development services from SynapseIndia – Kentico for enterprise tools

calender11 Jan 2019

Software development services from SynapseIndia – Kentico for enterprise tools

read more
How CDEs Transform Project Management?

calender19 Jun 2024

How CDEs Transform Project Management?

read more
5 Excellent Benefits of Google Android O

calender04 Apr 2017

5 Excellent Benefits of Google Android O

read more
Why Choose .NET Development Services for Creating Web Apps for Your Business?

calender14 Nov 2023

Why Choose .NET Development Services for Creating Web Apps for Your Business?

read more
PhoneGap : A Swiss Army Knife for Mobile App Development

calender20 Aug 2014

PhoneGap : A Swiss Army Knife for Mobile App Development

read more
We make things that Change things quickly

Connect to an expert

SynapseIndia Contact
USA :
+1-855-796-2773
UK:
+44 2079934232
India :
+91-120-4290800
SynapseIndia Locations
USA
14121 NE Airport Way, #358642,
Portland, Oregon 97230, USA
View On Google Maps
 
India
SDF B-6, NSEZ, Sector 81, Noida
201305, Uttar Pradesh, INDIA
View On Google Maps
Download Corporate Profile
SynapseIndia Corporate Profile
SynapseIndia Corporate Profile