Full Disclosure mailing list archives
CVE-2014-9016 and CVE-2014-9034. Wordpress and Drupal DOS
From: C0r3dump3d <coredump () autistici org>
Date: Mon, 01 Dec 2014 16:37:33 +0100
==================================================================== DESCRIPTION: ==================================================================== A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). ==================================================================== Time Line: ==================================================================== November 19, 2014 - A Drupal security update and the security advisory is published. November 20, 2014 - A Wordpress security update and the security advisory is published. ==================================================================== Proof of Concept: ==================================================================== http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve- 2014-9034-PoC.html ==================================================================== Authors: ==================================================================== -- Javer Nieto -- http://www.behindthefirewalls.com -- Andres Rojas -- http://www.devconsole.info ==================================================================== References: ==================================================================== * https://wordpress.org/news/2014/11/wordpress-4-0-1/ * https://www.drupal.org/SA-CORE-2014-006 * http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html * http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html * http://www.devconsole.info/?p=1050 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-9016 and CVE-2014-9034. Wordpress and Drupal DOS C0r3dump3d (Dec 03)