Leave a comment

Major security flaw in millions of websites

Major security flaw in millions of websites
Photo courtesy of Shutterstock

If you or anyone you know is using WordPress or Drupal for their website, update them as soon as possible.

A vulnerability discovered by Salesforce.com researcher Nir Goldshlager means that any Drupal or WordPress site could be taken down with a few simple keystrokes. Both Drupal and WordPress have released updates to plug this dangerous hole, but it's up to users to plug them into their sites.

Goldshlager built his site-killing hack with a modified version of the well-known "XML Quadratic Blowup Attack." Here's how it works, in Goldshlager's words (and don't worry, I'll explain in plain English, too).

"If an attacker defines the entity "&x;" as 55,000 characters long, and refers to that entity 55,000 times inside the "DoS" element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size that expands to 2.5 GB when parsed. This expansion is enough to take down the parsing process."

Basically, the file tricks a server into parsing a large number of variables an infinite number of times. Eventually, the server works too hard and ends up working itself into a crash-state. Goldshlager released the details of his hack to the companies who would be most affected by the attack before he published his discovery.

Next Story
Source: Mashable
Windows 9 will ditch something you hate, add something you want
Previous Happening Now

Windows 9 will ditch something you hate, add something you want

Deal of the Day: Tools for staying safe when disaster strikes
Next Happening Now

Deal of the Day: Tools for staying safe when disaster strikes

View Comments ()