Update available for DoS vulnerability affecting Drupal and WordPress websites
13 August 2014
An attack against websites using Drupal or WordPress platforms has been discovered that can lead to sites crashing.
Millions of websites use either Drupal or WordPress.
Updates have been released for both platforms that address the issue. If you have a website using either system you should update immediately.
The attack focuses on XML parsing, a process by which websites interpret an XML file. If your website allows users to upload files or send messages, a malicious user could send a specially crafted file which stops your website from operating (known as a denial of service (or DoS) attack).
Typically, when a website receives a file it will attempt to parse (interpret) the file. Because of a flaw in the code of WordPress and Drupal systems, a malicious XML file will cause the program to become stuck in a loop, leading it to spend an extremely long time on this process, which may crash the computer operating the website.
The vulnerability affects WordPress versions up to 3.9.1. It was addressed in version 3.9.2.
Drupal 6 is affected in versions prior to 6.33, while Drupal 7 is affected in versions prior to 7.31. It was addressed in both of these updates.
Updating your website
WordPress introduced automated updates in version 3.7. If your website has this feature and it is turned on, your website will be automatically updated. If this feature is not available, WordPress has released instructions on how to upgrade on its website.
Updates to Drupal and WordPress may overwrite custom modifications you have made to files on your server. If you are unsure about how this will affect your website, seek technical advice before updating.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.