2

I've stumbled upon an exploit method which I haven't really had time to investigate before. XML eXternal Entity is said to be susceptible of a server-side type of injection. I can specify a Document Type Declaration (DOCTYPE) to define the structure of XML. Inside the DOCTYPE I can define entities and assign particular values to them. Then I can use the entities in the XML code and the parser will replace them with their values.

<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE doc[ <!ENTITY pwd SYSTEM "file:///etc/passwd"> ]> <query> <name>Kiuhnm</name> <profession>&pwd;</profession> </query>

So in which case I can read arbitrary files. My question is: is it possible to forge an XML-based patch or I should do this on server-level and disallow reading of files from the outside?

Improve this question

    1 Answer 1

    Reset to default
    3

    Depending on your library you should be able to configure your parser to ignore entities.

    Improve this answer
    3
    • Could you provide an example or link me to something I can read more about this, please? SimpleXML, for instance.
      – SkippyJack
      CommentedMar 2, 2015 at 12:06
    • 2
      You can find more exploitation and prevention information at owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
      – wireghoul
      CommentedMar 2, 2015 at 12:48
    • 1
      @wireghoul While this is a perfectly fine answer, the idea of StackExchange is to provide concise & complete answers: The etiquette suggests, that a definitive answer is within your post. Use links just for reference and source attribution. Anyway, here's an upvote. :)
      – freddyb
      CommentedMar 2, 2015 at 14:49

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.