Massive Security Vulnerability Puts Your WordPress and Drupal Websites at Risk

Published by Designzillas on September 6, 2014


You’ve probably heard a little bit about the major security vulnerability up against WordPress and Drupal websites, but have you actually taken it seriously? If your website is hosted on a WordPress or Drupal installation, take notice of this post and update your website now.

You’ve probably heard a little bit about the major security vulnerability up against WordPress and Drupal websites, but have you actually taken it seriously? If your website is hosted on a WordPress or Drupal installation, take notice of this post and update your website now.

Drupal & WordPress Are Everywhere

Currently, WordPress and Drupal are two of the most used CMS’s available to users.WordPress currently holds 74.6 million websites and 22% of new U.S registered domainsDrupal is used by 5.2% of all websites, including those from some of the most prestigious sources (like the President of the United States). That’s a ton of websites and a ton of businesses that are at stake. Don’t let yours be one.

So What is This Attack?

They’re calling it an XML Quadratic Blowup Attack. No, that’s not a horrible question on an Algebra test, it’s actually a security vulnerability that could render your website useless almost instantly. Imagine that your sworn enemy stealthily releases a bag of spiders somewhere in your home without you knowing. You casually notice more and more spiders invading your home until one day, it’s so out of control that your house is no longer inhabitable. So think of it like that. Someone unleashed a giant bag of spiders into your website, except instead of spiders, it’s code.

Basically, someone injects a deliberately coded file into your website that takes advantage of the way web servers read data. The file expands to multiple times its size, taking up more space than the server can handle, causing it to crash. The XML Quadratic Blowup Attack can cause a website’s database to reach complete exhaustion and memory usage.

Check out this video by Nir Goldshlager, the security researcher from SalesForce.com who initially found the bug.

All is Not Lost

Even though this sounds like the end all be all, there are precautions you can take. If you’re using any WordPress version 3.5 – 3.9 or a Drupal version 6.x – 7.x, you may be vulnerable. Both CMS has released security patches that you can implement to protect your website. Even if you think you have automatic updates set up, you should still go in to make sure because sometimes your web host can shut these off. It’s better to be safe than sorry!

Already been hit? You’ll need to find the infected file, delete it, and patch your website. If you aren’t familiar with how to do this, you may want to consult your service provider to help you out. If you haven’t been hit yet, go update your website now!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s