XML Quadratic Blowup Attack?

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Tue Oct 06, 2009 4:36 am

XML Quadratic Blowup Attack?

Post by Codeless » Thu Aug 07, 2014 9:54 pm

Hey Joomlers,

A new hack is going around that affects Wordpress and Drupal websites. Wondering if this will affect Joomla sites as well? Whether 1.5, 2.5 or 3.x? Check out the article for info on it:

http://mashable.com/2014/08/06/wordpres ... -main-link


User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska

Re: XML Quadratic Blowup Attack?

Post by Bernard T » Fri Aug 08, 2014 1:36 am

AFAIK Joomla doesn't have XML-RPC lib implemented since 1.5.x, I am not sure if 1.5 versions are vulnerable but they are EOL after all. Maybe I'll take a peek if I get the time...

But 3rd-pty extensions that use XML parsers should take closer look on their code and test it's vulnerability.
Both Wordpress and Drupal use the same "Incutio XML-RPC Library" so they made the almost same fix, even worked together to fix it.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak


Return to “Security in Joomla! 2.5”