13 August 2014

An attack against websites using Drupal or WordPress platforms has been discovered that can lead to sites crashing.

Millions of websites use either Drupal or WordPress.

Updates have been released for both platforms that address the issue. If you have a website using either system you should update immediately.

The attack focuses on XML parsing, a process by which websites interpret an XML file. If your website allows users to upload files or send messages, a malicious user could send a specially crafted file which stops your website from operating (known as a denial of service (or DoS) attack).

Typically, when a website receives a file it will attempt to parse (interpret) the file. Because of a flaw in the code of WordPress and Drupal systems, a malicious XML file will cause the program to become stuck in a loop, leading it to spend an extremely long time on this process, which may crash the computer operating the website.

The vulnerability affects WordPress versions up to 3.9.1. It was addressed in version 3.9.2.

Drupal 6 is affected in versions prior to 6.33, while Drupal 7 is affected in versions prior to 7.31. It was addressed in both of these updates.

Updating your website

WordPress introduced automated updates in version 3.7. If your website has this feature and it is turned on, your website will be automatically updated. If this feature is not available, WordPress has released instructions on how to upgrade on its website.

Drupal users can update their website by following instructions provided by Drupal.

Updates to Drupal and WordPress may overwrite custom modifications you have made to files on your server. If you are unsure about how this will affect your website, seek technical advice before updating.

More information

More technical information about the vulnerability is provided by the researcher.

Drupal has also released technical information about the vulnerability.

Stay Smart Online provides information for businesses and home users on keeping software up to date.

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.


Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online