WordPress and Drupal flaw hits 23% of world's websites

Up to 230 million websites, including the US White House and the UK's main government data site, are at risk from a denial of service flaw in their WordPress and Drupal content management systems. The two suppliers have rushed out a fix.

WordPress and Drupal flaw hits 23% of world's websites
WordPress and Drupal flaw hits 23% of world's websites

The bug was revealed by Israel-based Nir Goldshlager, founder of Break Security and a senior security researcher at Salesforce.com, in a 5 August blog. It allows hackers to launch a denial of service attack on any websites run by all versions of WordPress and Drupal.

The bug affects tens or even hundreds of millions of websites. According to Wikipedia, WordPress is used on more than 60 million sites. But Netcraft estimates there are close to a billion sites worldwide, and W3Techs says WordPress is used on almost 23 percent of them, making a total of 230 million.

According to Wikipedia, Drupal is used by more than two percent of websites worldwide, including whitehouse.gov and data.gov.uk - the site where the British Government presents around 9,000 data sets from all its major ministries, including the Cabinet Office, Foreign Office and MoD.

The vulnerability enables hackers to launch an XML quadratic blow-up attack – described by Goldshlager as similar to a ‘billion laughs' attack – which means attackers can exponentially expand the space taken up by XML documents on the website's host server, to consume all the available memory and so bring down the site.

In an unprecedented move, WordPress and Drupal joined forces to fix the problem, announcing patches on 6 August in the shape of WordPress 3.9.2 and Drupal versions 7.31 and 6.33.

WordPress' statement said: “This is the first time our two projects have coordinated joint security releases,” adding: “We strongly encourage you to update your sites immediately.”

Drupal chimed in: “Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases.”

Meanwhile web security firm Incapsula, which has also issued an emergency patch across its network, confirmed: “All WordPress and Drupal website operators are advised to apply the latest security updates, released by both teams. Having tested the attack method, and witnessing the amount of grief it can cause, we strongly urge to apply these patches as soon as possible.”

The problem was fixed by Andrew Nacin and Michael Adams from WordPress, Frédéric Marand, and David Rothstein, Damien Tournoud, Greg Knaddison, Stéphane Corlosquet and Dave Reid of Drupal.

Meanwhile In a 7 August blog, security firm Sucuri has revealed another critical vulnerability in the WordPress Custom Contact Form plugin, while accusing the plugin developer of being “unresponsive" to reports of the bug.

The plugin has more than 600,000 downloads and the vulnerability affects every website using version 5.1.0.3 and lower.

Sucuri's Marc-Alexandre Montpas said the flaw allows a hacker to take control of a victim's website without requiring any sort of privileges/accounts beforehand.

“If you're a using the Custom Contact Forms WordPress plugin, you need to update it right away,” he said.

Montpas explained: “We found a critical vulnerability that allows an attacker to download and modify your database remotely (no authentication required). The vulnerability was disclosed to the plugin developer a few weeks ago. The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it.”

Commenting on the WordPress and Drupal flaw, Graeme Batsman, security director of UK-based EncSec, warned that website administrators might well ignore the patches now made available.

He told SCMagazineUK.com via email: “Websites running WordPress are often hacked/defaced frequently and the reason is poor maintenance. Web designers often build websites, hand them over and that is it. The content may only be updated once a year and updates are forgotten about. Default settings are used, vulnerable plugins are added and nothing is updated.

“With OpenSSL Heartbleed it is estimated two months after the announcement, only a little over half plugged the flaw. This will be worse since websites are updated less than servers and workstations.

“Examples of how to exploit this are widely available and the exploit could affect the whole server, not just the website in question.”

Batsman advised: “Solutions include: patch up to the latest version or remove xmlrpc.php. A WAF (website application firewall) can come in handy by offering ‘virtual patching'. Large corporations would (or should) have WAFs in place.”