Security Advisory

ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

Action Taken

Continuing on the patches performed in ZF2012-02 and ZF2012-05, we extended the patch to all the usage of the PHP functions simplexml_load_*, DOMDocument::loadXML, and xml_parse, in order to prevent XXE and XEE attacks across the framework.

We have provided new components, Zend_Xml_Security in ZF1 and the standalone ZendXml, that scan and load XML documents to prevent the previous attacks. The XXE attack is prevented using the libxml_disable_entity_loader() function to disable the loading of ENTITY nodes. The XXE attack is prevented by checking for the presence of ENTITY elements in the document type declaration; in such cases, we throw an Exception with an error message indicating that we don't accept ENTITY declarations in XML documents for security reasons.

Moreover, because of PHP bug 64938, we have decided to manage the PHP-FPM scenario using an heuristic approach. We perform a search inside the XML string to find usage of any <!ENTITY" element, and, on detection, raise an exception.

Note: the libxml library used by PHP to manage XML documents has been fixed against XEE attacks starting from libxml2 version 2.9. If you are using this version you can use the existing PHP functions without security concerns.

The following components/libraries were patched, at the version specified:

Other Information

About XML eXternal Entity (XXE) attacks:

About XML Entity Expansion (XEE) attacks:

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

back to advisories