Yesterday, Mashable reported on a recent vulnerability discovery for self-hosted WordPress and Drupal websites.

Nir Goldshlager discovered this major security threat to a wide swath of the internet's websites (WordPress alone powers about 23% of them!). 

What's this threat about?

This threat is a Denial-of-service-type (DoS) attack, which is an attempt to make a machine or network resource unavailable to its intended users.

In other words, it makes websites and servers inaccessible.

This specific attack is a form of XML Quadratic Blowup Attack, but differs from usual attacks of this type by "distorting [how] the Memory Limit and MySQL, and Apache Max Clients works". 

Here's how Mashable describes it:

Here's the problem: Apache, the world's most popular web server, has its "Max Clients" property set to 256 by default. Meanwhile, MySQL, the database that WordPress and Drupal use, has its default "Max Connections" value set to 151.

If we multiply those connections against one another (128×151), we get 19328MB — which will consume all available memory.

Who is affected?

If you use WordPress or Drupal, you are most likely vulnerable to this attack.

WordPress versions 3.5 to 3.9 (including default installation)

Drupal versions 6.x and 7.x (including default installation)

Both WordPress and Drupal have released fixes to this problem.

If you are on WordPress and enabled automatic system updates, you are probably protected (but might want to check just to be sure).

If you are on Drupal or update your WordPress system manually, you'll want to update right now.

Drupal users will want to update to version 6.33 for Drupal 6 and 7.31 for Drupal 7. Visit the Drupal Upgrade website for more information.

If you are a Drupal site owner but you're not sure how to proceed with this update, please contact us and we'll help you figure it out.

Thankfully, Mr. Goldshlager shared his discovery with WordPress and Drupal before disclosing it publicly to minimize the risk of widespread exploitation.

However, risks remain as long as you don't update either your Drupal or WordPress installation.

Final words

Update your WordPress or Drupal install right now!




Drupal security advisory

New Call-to-action