Reasons of Software Security Blemish Affecting Millions of Drupal Sites

24 Sep 2014

.One of the most used content management systems, the "very popular" Drupal has new vulnerabilities that are expected to affect several websites based on it. Its quite a severe flaw discovered by Nir Goldshalger who found that it becomes a lot easier to take down a Drupal website with some simple keystrokes.

While the news severly affected the decision of businesses planning to go for Drupal website development, it also raised the urgency to find a quick solution to the issue. It was necessary as even a number of US government sites are Drupal based. The vulnerability has come to light owing to the potential Denial of Service (DoS) issue with PHP's XML processing module that is used by Drupal.

How Goldshalger Highlighted the Drupal Vulnerability !

Goldshalger made use of the modified version of XML Quadratic Blowup Attack to build a site-killing hack and thus discovered the flaw. The file prompts the server to parse a huge number of variables several times, thus causing the server to toil extremely hard till it comes close to a server-crash state.

He also provided the details of the hack made by him to the relevant company prior to releasing the discovery for its publication. Goldshalger also explained that its quite possible to employ the vulnerability without making use of any plug-ins and in the case of default installation of the CMS, the vulnerability works seamlessly.

Its Not Merely Drupal Facing the Heat Here...

Besides the popular CMS Drupal, the flaw was also detected in WordPress, a CMS that solely empowers around 23% of the web. While the XML vulnerability makes impact on Drupal versions 6.x to 7.x, it affects versions 3.5 to 3.9 of WordPress.

Exploiting the Attack

For PHP (the language employed for writing WordPress and Drupal), the memory allocation limit by default is 128MB per process. It simply means that one can't go over the mentioned 128MB limit with any XML bomb request.

Let's understand the problem. The "Max Clients" property of the world's most eminent web server Apache is set to 256 by default. In  the meantime, the default "Max Connections" value of MySQL, the popular database used by  WordPress and Drupal has been set to 151.

On multiplying these connections (128x151), what we attain is 19328MB, which  is capable of consuming all available memory.  The attacker will require fingerprinting the memory limit available on the victim's server if he desires to attack the server with success.

However, in case the attack overwrites the pre-defined PHP limit, the overwrite will get rejected by the server, thereby rendering the attack attempt unsuccessful. But in case the attack is successful, it will surely bring down the complete system.

 How to Fix the Drupal & WordPress Vulnerability Issue

In order to provide users optimum protection from the vulnerability, Drupal and WordPress have gone for updating their software. Based on your setup, the update procedure will differ. So, its recommended that all Drupal and WordPress site users immediately update their websites.

"From the Editor's Desk" is not just about the content. Our content writers will be sharing their thoughts on industry trends, new technologies, and emerging topics that are relevant to our readers. We believe that it's important to stay up-to-date with the latest news and trends, and We excited to share my thoughts and insights with you.