XML quadratic blowup denial of service attack
Description
This vulnerability affects XML parsers that do not properly limit entity expansion, allowing attackers to cause denial of service through specially crafted XML documents. The attack exploits XML entity expansion by defining a single large entity and then referencing it thousands of times within the document. When parsed, a relatively small XML file (approximately 200KB) can consume 100MB to several GB of memory and significant CPU resources. This vulnerability has been identified in WordPress and Drupal XMLRPC implementations that use vulnerable PHP XML parsers, and is a variant of the well-known Billion Laughs attack.
Remediation
Apply the following mitigations in order of preference:
1. Update affected software: Upgrade WordPress or Drupal to the latest patched version that includes fixes for XML entity expansion vulnerabilities.
2. Configure XML parser limits: If immediate patching is not possible, configure the XML parser to disable external entity processing and limit entity expansion. For PHP applications using libxml, add the following configuration:
libxml_disable_entity_loader(true);
libxml_set_external_entity_loader(function() { return null; });3. Restrict XMLRPC access: If XMLRPC functionality is not required, disable it entirely or restrict access using web server rules. For Apache, add to .htaccess:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
For Nginx, add to server configuration:
location ~* ^/xmlrpc.php$ {
deny all;
}4. Implement rate limiting: Apply rate limiting rules to XMLRPC endpoints to reduce the impact of potential attacks.