[FD] CVE-2014-9016 and CVE-2014-9034. Wordpress and Drupal DOS

[C0r3dump3d <coredump@xxxxxxxxxxxxx>]

====================================================================
DESCRIPTION:
====================================================================
A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an
attacker to send specially crafted requests resulting in CPU and memory
exhaustion. This may lead to the site becoming unavailable or
unresponsive (denial of service).

====================================================================
Time Line:
====================================================================

November 19, 2014 - A Drupal security update and the security advisory
is published.

November 20, 2014 - A Wordpress security update and the security
advisory is published.

====================================================================
Proof of Concept:
====================================================================

http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-
2014-9034-PoC.html

====================================================================
Authors:
====================================================================

-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info

====================================================================
References:
====================================================================

* https://wordpress.org/news/2014/11/wordpress-4-0-1/

* https://www.drupal.org/SA-CORE-2014-006

*
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html

*
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html

* http://www.devconsole.info/?p=1050

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/