Flaw in PHP XML Processing Hits Drupal, WordPress. Time To Patch ’em Up.

For the first time, the open-source Drupal and WordPress content management teams have coordinated joint security releases to fix a new vulnerability.

The flaw, first reported by security researcher Nir Goldshlager, is a potential denial-of-service (DoS) issue with PHP’s XML processing module. Drupal and WordPress use the same PHP module, which is why both content management systems are at risk from the same flaw. Drupal is particularly prominent because it is used on U.S. government sites, including WhiteHouse.gov, and WordPress is deployed on more than 60 million sites.

“This bug can be utilized without the aid of any plug-ins, and it functions smoothly on the default installation of WordPress and Drupal,” Goldshlager explained in an advisory (which is running on a WordPress site itself). “Only one machine needed to exploit this vulnerability.”

In an advisory on the drupal.org site, the vulnerability is rated as moderately critical. The Drupal advisory explains that the bug that Goldshlager found is within the PHP XML parser and could trigger CPU and memory exhaustion, in turn causing a DoS condition on the affected site.

via New Flaw Puts Millions of WordPress, Drupal Sites at Risk.

Patches are provided by Drupal 7.31, 6.33 and WordPress 3.9.2.