.One of the most used content management systems, the "very popular" Drupal has new vulnerabilities that are expected to affect several websites based on it. Its quite a severe flaw discovered by Nir Goldshalger who found that it becomes a lot easier to take down a Drupal website with some simple keystrokes.
While the news severly affected the decision of businesses planning to go for Drupal website development, it also raised the urgency to find a quick solution to the issue. It was necessary as even a number of US government sites are Drupal based. The vulnerability has come to light owing to the potential Denial of Service (DoS) issue with PHP's XML processing module that is used by Drupal.
How Goldshalger Highlighted the Drupal Vulnerability !
Goldshalger made use of the modified version of XML Quadratic Blowup Attack to build a site-killing hack and thus discovered the flaw. The file prompts the server to parse a huge number of variables several times, thus causing the server to toil extremely hard till it comes close to a server-crash state.
He also provided the details of the hack made by him to the relevant company prior to releasing the discovery for its publication. Goldshalger also explained that its quite possible to employ the vulnerability without making use of any plug-ins and in the case of default installation of the CMS, the vulnerability works seamlessly.
Its Not Merely Drupal Facing the Heat Here...
Besides the popular CMS Drupal, the flaw was also detected in WordPress, a CMS that solely empowers around 23% of the web. While the XML vulnerability makes impact on Drupal versions 6.x to 7.x, it affects versions 3.5 to 3.9 of WordPress.
Exploiting the Attack
For PHP (the language employed for writing WordPress and Drupal), the memory allocation limit by default is 128MB per process. It simply means that one can't go over the mentioned 128MB limit with any XML bomb request.
Let's understand the problem. The "Max Clients" property of the world's most eminent web server Apache is set to 256 by default. In the meantime, the default "Max Connections" value of MySQL, the popular database used by WordPress and Drupal has been set to 151.
On multiplying these connections (128x151), what we attain is 19328MB, which is capable of consuming all available memory. The attacker will require fingerprinting the memory limit available on the victim's server if he desires to attack the server with success.
However, in case the attack overwrites the pre-defined PHP limit, the overwrite will get rejected by the server, thereby rendering the attack attempt unsuccessful. But in case the attack is successful, it will surely bring down the complete system.
How to Fix the Drupal & WordPress Vulnerability Issue
In order to provide users optimum protection from the vulnerability, Drupal and WordPress have gone for updating their software. Based on your setup, the update procedure will differ. So, its recommended that all Drupal and WordPress site users immediately update their websites.