For the first time, the open-source Drupal and WordPress content management teams have coordinated joint security releases to fix a new vulnerability.
The flaw, first reported by security researcher Nir Goldshlager, is a potential denial-of-service (DoS) issue with PHP’s XML processing module. Drupal and WordPress use the same PHP module, which is why both content management systems are at risk from the same flaw. Drupal is particularly prominent because it is used on U.S. government sites, including WhiteHouse.gov, and WordPress is deployed on more than 60 million sites.
“This bug can be utilized without the aid of any plug-ins, and it functions smoothly on the default installation of WordPress and Drupal,” Goldshlager explained in an advisory (which is running on a WordPress site itself). “Only one machine needed to exploit this vulnerability.”
In an advisory on the drupal.org site, the vulnerability is rated as moderately critical. The Drupal advisory explains that the bug that Goldshlager found is within the PHP XML parser and could trigger CPU and memory exhaustion, in turn causing a DoS condition on the affected site.
Both Drupal and WordPress have issued patches to fix the flaw. Drupal 7 users need to update to version 7.31, and Drupal 6 users need to update to version 6.33.
WordPress users also need to update, but thanks to automated update technology that is part of WordPress, many have likely already updated without any human intervention required. Starting with the WordPress 3.7 release in October 2013, security and bug fix updates have been automatically enabled. WordPress 3.9.2 is the latest WordPress release and is an automatic update that fixes the DoS issue.
The PHP DoS issue, however, affects WordPress versions all the way back to WordPress 3.5. As such, it’s important for site owners to make sure they update to the latest version of WordPress to fix the new flaw and to stay current with bug fixes.
The DoS issue isn’t the only security-related fix in WordPress 3.9.2. There is also a fix for a possible code-execution flaw with WordPress widgets. Additionally, there is a patch for a potential information disclosure risk via XML.
The WordPress security team has also taken steps in WordPress 3.9.2 to further harden the system against brute-force attacks and cross-site scripting risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.