WordPress and Drupal teams collaborate for simultaneous security releases

wordpress-drupal-securityWordPress and Drupal are both releasing security updates today that affect all supported versions of the two popular CMS platforms.

Nir Goldshlager, a security researcher and part of the Salesforce.com Product Security Team, discovered a PHP-level vulnerability that could result in denial of service (DoS) attacks. Goldshlager notified the PHP, WordPress, and Drupal security teams all at once.

The vulnerability is within a PHP XML parser used by XML-RPC, and is “vulnerable to an XML entity expansion attach which can cause CPU and memory exhaustion, and MySQL to reach the maximum amount of open connections.”

The bug itself is relatively minor, but of interest is the collaboration between the WordPress and Drupal teams to create a fix. WordPress lead developer Andrew Nacin and Mike Adams of the WordPress security team collaborated on a fix for the vulnerability and offered to coordinate with the Drupal security team.

The fix devised by Nacin and Adams prevents the XML-RPC vulnerability while keeping the feature active. Turning off XML-RPC would have left the burden of handling the fix on the site owner or host and would have harmed clients such as the mobile apps.

So, interestingly enough, two WordPress core developers are getting props today for both WordPress and Drupal releases. The respective security teams and Goldshlager have been working together for a couple of weeks now to appropriately address the situation and refine the patch included in today’s updates. The patch itself is for an external library that WordPress has always used, called the Incutio XML-RPC Library. Drupal uses a derivative of the same library, making the collaboration between the two teams quite logical and straightforward.

Andrew Nacin tells me that this is the first time he knows of that the WordPress and Drupal security teams have collaborated. It certainly goes to show just how beneficial open source is, that two completely different CMS platforms are able to quickly close such security holes.

The WordPress security release includes a few other minor security patches as well, but the collaboration between the WordPress and Drupal security teams is what makes this release most noteworthy, in my opinion.

WordPress will be automatically upgrading all eligible websites from WordPress 3.7 to WordPress 3.9 major versions to include these fixes, as well as the WordPress 4.0 beta. The latest stable branch is now WordPress 3.9.2, and the WordPress 4.0 development branch is in beta 3. The release of WordPress 4.0 is still on target for the week of August 25th.

If you have automatic updates enabled for WordPress, you’ll see those roll out shortly; otherwise, you can download it from WordPress.org. You can also check out the official release posts for both Drupal and WordPress on their respective blogs.