ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse
Numerous components utilizing PHP's
xml_parse functionality are vulnerable to
two types of attacks:
- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Continuing on the patches performed in ZF2012-02
we extended the patch to all the usage of the PHP functions
xml_parse, in order to prevent XXE and XEE attacks across
We have provided new components,
Zend_Xml_Security in ZF1 and
ZendXml, that scan and load XML documents to
prevent the previous attacks. The XXE attack is prevented using the
libxml_disable_entity_loader() function to
disable the loading of ENTITY nodes. The XXE attack is prevented by checking
for the presence of ENTITY elements in the document type declaration; in
such cases, we throw an Exception with an error message indicating that we
don't accept ENTITY declarations in XML documents for security reasons.
Moreover, because of PHP
bug 64938, we have decided to manage the PHP-FPM scenario using an
heuristic approach. We perform a search inside the XML string to find usage of any
<!ENTITY" element, and, on detection, raise an exception.
Note: the libxml library used by PHP to manage XML documents has been fixed against XEE attacks starting from libxml2 version 2.9. If you are using this version you can use the existing PHP functions without security concerns.
The following components/libraries were patched, at the version specified:
- Zend Framework 1, version 1.12.4
- Zend Framework 2, versions 2.1.6 and 2.2.6
- ZendOpenId, version 2.0.2
- ZendRest, version 2.0.2
- ZendService_Amazon, version 2.0.3
- ZendService_Api, version 1.0.0
- ZendService_AudioScrobbler, version 2.0.2
- ZendService_Nirvanix, version 2.0.2
- ZendService_SlideShare, version 2.0.2
- ZendService_Technorati, version 2.0.2
- ZendService_WindowsAzure, version 2.0.2
About XML eXternal Entity (XXE) attacks:
About XML Entity Expansion (XEE) attacks:
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
- Lukas Reschke (email@example.com) for reporting the potential XXE attacks in some components of ZF1, not previously fixed, and to suggest a possible fix for PHP-FPM scenarios
- Pádraic Brady (firstname.lastname@example.org) for implementing the first XEE security patch (ZF2012-02)
- Enrico Zimuel (email@example.com) for improving the previous solution, extending it to all the use cases.