XML quadratic blowup denial of service attack

Description
  • WordPress and Drupal are affected by a DoS (denial of service) vulnerability on the PHP XML parser used by their XMLRPC implementations. The issue lies in the XML entity expansion parser that can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. The vulnerability is named XML quadratic blowup attack and was reported by Nir Goldshlager.<br/><br/> "An XML quadratic blowup attack is similar to a Billion Laughs attack. Essentially, it exploits the use of entity expansion. Instead of deferring to the use of nested entities, it replicates one large entity using a couple thousand characters repeatedly. A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success."
Remediation
  • Update WordPress/Drupal to the latest version or restrict access to the xmlrpc file.
References